CVE-2020-3226 – Cisco IOS and IOS XE Software Session Initiation Protocol Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2020-3226
A vulnerability in the Session Initiation Protocol (SIP) library of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient sanity checks on received SIP messages. An attacker could exploit this vulnerability by sending crafted SIP messages to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service condition. Una vulnerabilidad en la biblioteca Session Initiation Protocol (SIP) de Cisco IOS Software y Cisco IOS XE Software, podría permitir que un atacante remoto no autenticado desencadene una recarga de un dispositivo afectado, resultando en una condición de denegación de servicio (DoS). • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sip-Cv28sQw2 • CWE-20: Improper Input Validation •
CVE-2020-3220 – Cisco IOS XE Software IPsec VPN Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2020-3220
A vulnerability in the hardware crypto driver of Cisco IOS XE Software for Cisco 4300 Series Integrated Services Routers and Cisco Catalyst 9800-L Wireless Controllers could allow an unauthenticated, remote attacker to disconnect legitimate IPsec VPN sessions to an affected device. The vulnerability is due to insufficient verification of authenticity of received Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by tampering with ESP cleartext values as a man-in-the-middle. Una vulnerabilidad en el controlador criptográfico de hardware de Cisco IOS XE Software para Cisco 4300 Series Integrated Services Routers y Cisco Catalyst 9800-L Wireless Controllers, podría permitir a un atacante remoto no autenticado desconectar las sesiones legítimas de VPN IPsec en un dispositivo afectado. La vulnerabilidad es debido a una verificación insuficiente de la autenticidad de los paquetes de Encapsulating Security Payload (ESP) recibidos. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-vpn-dos-edOmW28Z • CWE-345: Insufficient Verification of Data Authenticity •
CVE-2020-3219 – Cisco IOS XE Software Web UI Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-3219
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to inject and execute arbitrary commands with administrative privileges on the underlying operating system of an affected device. The vulnerability is due to insufficient validation of user-supplied input to the web UI. An attacker could exploit this vulnerability by submitting crafted input to the web UI. A successful exploit could allow an attacker to execute arbitrary commands with administrative privileges on an affected device. Una vulnerabilidad en la Interfaz de Usuario web de Cisco IOS XE Software, podría permitir a un atacante remoto autenticado inyectar y ejecutar comandos arbitrarios con privilegios administrativos en el sistema operativo subyacente de un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-web-cmdinj2-fOnjk2LD • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2020-3218 – Cisco IOS XE Software Web UI Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-3218
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with administrative privileges to execute arbitrary code with root privileges on the underlying Linux shell. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by first creating a malicious file on the affected device itself and then uploading a second malicious file to the device. A successful exploit could allow the attacker to execute arbitrary code with root privileges or bypass licensing requirements on the device. Una vulnerabilidad en la Interfaz de Usuario web de Cisco IOS XE Software, podría permitir a un atacante remoto autenticado con privilegios administrativos ejecutar código arbitrario con privilegios root en el shell de Linux subyacente. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-rce-uk8BXcUD • CWE-20: Improper Input Validation •
CVE-2020-3215 – Cisco IOS XE Software Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2020-3215
A vulnerability in the Virtual Services Container of Cisco IOS XE Software could allow an authenticated, local attacker to gain root-level privileges on an affected device. The vulnerability is due to insufficient validation of a user-supplied open virtual appliance (OVA). An attacker could exploit this vulnerability by installing a malicious OVA on an affected device. Una vulnerabilidad en el Virtual Services Container de Cisco IOS XE Software, podría permitir a un atacante local autenticado conseguir privilegios de nivel root sobre un dispositivo afectado. La vulnerabilidad es debido a una comprobación insuficiente de un open virtual appliance (OVA) suministrado por el usuario. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-priv-esc1-OKMKFRhV • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •