// For flags

CVE-2023-20190

 

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability in the classic access control list (ACL) compression feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass the protection that is offered by a configured ACL on an affected device.
This vulnerability is due to incorrect destination address range encoding in the compression module of an ACL that is applied to an interface of an affected device. An attacker could exploit this vulnerability by sending traffic through the affected device that should be denied by the configured ACL. A successful exploit could allow the attacker to bypass configured ACL protections on the affected device, allowing the attacker to access trusted networks that the device might be protecting.
There are workarounds that address this vulnerability.

This advisory is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication .

Una vulnerabilidad en la característica de compresión de la clásica lista de control de acceso (ACL) del software Cisco IOS XR podría permitir que un atacante remoto no autenticado evite la protección que ofrece una ACL configurada en un dispositivo afectado. Esta vulnerabilidad se debe a una codificación incorrecta del rango de direcciones de destino en el módulo de compresión de una ACL que se aplica a una interfaz de un dispositivo afectado. Un atacante podría aprovechar esta vulnerabilidad enviando tráfico a través del dispositivo afectado que la ACL configurada debería denegar. Una explotación existosa exitoso podría permitir al atacante eludir las protecciones ACL configuradas en el dispositivo afectado, permitiéndole acceder a redes confiables que el dispositivo podría estar protegiendo. Existen workarounds que abordan esta vulnerabilidad. Este aviso es parte de la publicación de septiembre de 2023 del paquete de avisos de seguridad del software Cisco IOS XR.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-10-27 CVE Reserved
  • 2023-09-13 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-08-02 First Exploit
  • 2024-10-15 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-264: Permissions, Privileges, and Access Controls
  • CWE-863: Incorrect Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
 Ios Xr
Search vendor "Cisco" for product "Ios Xr"
 < 7.3.5
Search vendor "Cisco" for product "Ios Xr" and version " < 7.3.5"
-
Affected
Cisco
Search vendor "Cisco"
 Ios Xr
Search vendor "Cisco" for product "Ios Xr"
 >= 7.5 < 7.5.4
Search vendor "Cisco" for product "Ios Xr" and version " >= 7.5 < 7.5.4"
-
Affected
Cisco
Search vendor "Cisco"
 Ios Xr
Search vendor "Cisco" for product "Ios Xr"
 >= 7.6 < 7.8.2
Search vendor "Cisco" for product "Ios Xr" and version " >= 7.6 < 7.8.2"
-
Affected
Cisco
Search vendor "Cisco"
 Ios Xr
Search vendor "Cisco" for product "Ios Xr"
 7.9
Search vendor "Cisco" for product "Ios Xr" and version "7.9"
-
Affected