Details of VAR-202209-1886

ID

VAR-202209-1886

CVE

CVE-2022-20662

TITLE

Cisco Systems macOS for Duo Authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-018197

DESCRIPTION

A vulnerability in the smart card login authentication of Cisco Duo for macOS could allow an unauthenticated attacker with physical access to bypass authentication. This vulnerability exists because the assigned user of a smart card is not properly matched with the authenticating user. An attacker could exploit this vulnerability by configuring a smart card login to bypass Duo authentication. A successful exploit could allow the attacker to use any personal identity verification (PIV) smart card for authentication, even if the smart card is not assigned to the authenticating user. (DoS) It may be in a state. Cisco Duo is a fully managed solution from Cisco. Provide secure access to your applications and data. An authorization problem vulnerability exists in Cisco Duo

Trust: 1.8

sources: NVD: CVE-2022-20662 // JVNDB: JVNDB-2022-018197 // VULHUB: VHN-405215 // VULMON: CVE-2022-20662

AFFECTED PRODUCTS

vendor:	cisco	model:	duo	scope:	lt	version:	2.0.0	Trust: 1.0
vendor:	シスコシステムズ	model:	duo	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	duo	scope:	eq	version:	2.0.0	Trust: 0.8

sources: JVNDB: JVNDB-2022-018197 // NVD: CVE-2022-20662

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-20662
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20662
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-20662
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202209-2858
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2022-20662
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.9
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20662
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2022-20662
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-018197 // CNNVD: CNNVD-202209-2858 // NVD: CVE-2022-20662 // NVD: CVE-2022-20662

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.1
problemtype:	Inappropriate authentication (CWE-287) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-405215 // JVNDB: JVNDB-2022-018197 // NVD: CVE-2022-20662

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202209-2858

PATCH

title:	cisco-sa-duo-macOS-bypass-uKZNpXE6	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-macOS-bypass-uKZNpXE6	Trust: 0.8
title:	Cisco Duo Remediation measures for authorization problem vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=209317	Trust: 0.6
title:	Cisco: Cisco Duo for macOS Authentication Bypass Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-duo-macOS-bypass-uKZNpXE6	Trust: 0.1

sources: VULMON: CVE-2022-20662 // JVNDB: JVNDB-2022-018197 // CNNVD: CNNVD-202209-2858

EXTERNAL IDS

db:	NVD	id:	CVE-2022-20662	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-018197	Trust: 0.8
db:	AUSCERT	id:	ESB-2022.4812	Trust: 0.6
db:	CNNVD	id:	CNNVD-202209-2858	Trust: 0.6
db:	CNVD	id:	CNVD-2022-69161	Trust: 0.1
db:	VULHUB	id:	VHN-405215	Trust: 0.1
db:	VULMON	id:	CVE-2022-20662	Trust: 0.1

sources: VULHUB: VHN-405215 // VULMON: CVE-2022-20662 // JVNDB: JVNDB-2022-018197 // CNNVD: CNNVD-202209-2858 // NVD: CVE-2022-20662

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-duo-macos-bypass-ukznpxe6	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-20662	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2022.4812	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-20662/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-405215 // VULMON: CVE-2022-20662 // JVNDB: JVNDB-2022-018197 // CNNVD: CNNVD-202209-2858 // NVD: CVE-2022-20662

SOURCES

db:	VULHUB	id:	VHN-405215
db:	VULMON	id:	CVE-2022-20662
db:	JVNDB	id:	JVNDB-2022-018197
db:	CNNVD	id:	CNNVD-202209-2858
db:	NVD	id:	CVE-2022-20662

LAST UPDATE DATE

2024-08-14T15:06:07.476000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-405215	date:	2022-10-04T00:00:00
db:	VULMON	id:	CVE-2022-20662	date:	2022-09-30T00:00:00
db:	JVNDB	id:	JVNDB-2022-018197	date:	2023-10-19T02:26:00
db:	CNNVD	id:	CNNVD-202209-2858	date:	2022-10-08T00:00:00
db:	NVD	id:	CVE-2022-20662	date:	2023-11-07T03:42:33.423

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-405215	date:	2022-09-30T00:00:00
db:	VULMON	id:	CVE-2022-20662	date:	2022-09-30T00:00:00
db:	JVNDB	id:	JVNDB-2022-018197	date:	2023-10-19T00:00:00
db:	CNNVD	id:	CNNVD-202209-2858	date:	2022-09-28T00:00:00
db:	NVD	id:	CVE-2022-20662	date:	2022-09-30T19:15:10.437