ID CVE-2020-3336 Type cve Reporter cve@mitre.org Modified 2020-06-24T18:42:00
Description
A vulnerability in the software upgrade process of Cisco TelePresence Collaboration Endpoint Software and Cisco RoomOS Software could allow an authenticated, remote attacker to modify the filesystem to cause a denial of service (DoS) or gain privileged access to the root filesystem. The vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by sending requests with malformed parameters to the system using the console, Secure Shell (SSH), or web API. A successful exploit could allow the attacker to modify the device configuration or cause a DoS.
{"id": "CVE-2020-3336", "bulletinFamily": "NVD", "title": "CVE-2020-3336", "description": "A vulnerability in the software upgrade process of Cisco TelePresence Collaboration Endpoint Software and Cisco RoomOS Software could allow an authenticated, remote attacker to modify the filesystem to cause a denial of service (DoS) or gain privileged access to the root filesystem. The vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by sending requests with malformed parameters to the system using the console, Secure Shell (SSH), or web API. A successful exploit could allow the attacker to modify the device configuration or cause a DoS.", "published": "2020-06-18T03:15:00", "modified": "2020-06-24T18:42:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3336", "reporter": "cve@mitre.org", "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-cmd-inj-7ZpWhvZb"], "cvelist": ["CVE-2020-3336"], "type": "cve", "lastseen": "2020-12-09T22:03:14", "edition": 8, "viewCount": 19, "enchantments": {"dependencies": {"references": [{"type": "cisco", "idList": ["CISCO-SA-TP-CMD-INJ-7ZPWHVZB"]}, {"type": "nessus", "idList": ["CISCO-SA-TP-CMD-INJ-7ZPWHVZB.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:8207D062CD4838B19CB8398D9259D2CC"]}], "modified": "2020-12-09T22:03:14", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2020-12-09T22:03:14", "rev": 2}, "vulnersScore": 6.0}, "cpe": ["cpe:/a:cisco:roomos:-", "cpe:/a:cisco:telepresence_collaboration_endpoint:9.12.3", "cpe:/a:cisco:telepresence_collaboration_endpoint:9.10.2"], "affectedSoftware": [{"cpeName": "cisco:telepresence_collaboration_endpoint", "name": "cisco telepresence collaboration endpoint", "operator": "lt", "version": "9.9.4"}, {"cpeName": "cisco:roomos", "name": "cisco roomos", "operator": "eq", "version": "-"}, {"cpeName": "cisco:telepresence_collaboration_endpoint", "name": "cisco telepresence collaboration endpoint", "operator": "le", "version": "9.10.2"}, {"cpeName": "cisco:telepresence_collaboration_endpoint", "name": "cisco telepresence collaboration endpoint", "operator": "le", "version": "9.12.3"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:cisco:roomos:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:telepresence_collaboration_endpoint:9.10.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:telepresence_collaboration_endpoint:9.12.3:*:*:*:*:*:*:*"], "cwe": ["CWE-78"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:cisco:telepresence_collaboration_endpoint:9.9.4:*:*:*:*:*:*:*", "versionEndExcluding": "9.9.4", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:telepresence_collaboration_endpoint:9.12.3:*:*:*:*:*:*:*", "versionEndIncluding": "9.12.3", "versionStartIncluding": "9.12.0", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:roomos:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:telepresence_collaboration_endpoint:9.10.2:*:*:*:*:*:*:*", "versionEndIncluding": "9.10.2", "versionStartIncluding": "9.10.0", "vulnerable": true}], "operator": "OR"}]}}
{"nessus": [{"lastseen": "2020-11-15T01:35:14", "description": "According to its self-reported version, Cisco TelePresence CE Software is affected by a vulnerability. Please see the\nincluded Cisco BIDs and Cisco Security Advisory for more information.", "edition": 3, "cvss3": {"score": 7.2, "vector": "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-06-26T00:00:00", "title": "Cisco TelePresence Collaboration Endpoint and RoomOS Software Command Injection Vulnerability (cisco-sa-tp-cmd-inj-7ZpWhvZb)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-3336"], "modified": "2020-06-26T00:00:00", "cpe": ["cpe:/o:cisco:telepresence_ce"], "id": "CISCO-SA-TP-CMD-INJ-7ZPWHVZB.NASL", "href": "https://www.tenable.com/plugins/nessus/137856", "sourceData": "#TRUSTED 41853b79e8823757853c1ef84a7e088c261a8b4b22498f636ff755cf4dca012ce90c48b90af6930d06af8a46f26b38dfb21fd01cf86f06e0e189bd60091c5b13c73030906959be183be1214e4226e30a7d26fe7e6f4bc086793207e8679ce1e115082bc11c2b7d00f5137a0ad2eceac6b81d0e802fe59b1c5cdca0c5ce536da7664a39705022175d317e7de69bbfa093275b7bb30fa328c5dbbab22e8f8121cb72b6c9c497145ace26c14375e17b55b651d50faba65f9c1e053b0aeb31e76015e85c3e7461ffcec734e4bd8b1c74eb385b39732d4b8145dcbeda04a02312604b3df8518e008b1039dde6e0621f98d329ad8376f231de29b25893e905b373f9eb8d90e741f888909675ed72a1b96c26cc96fe346c62554d4c2bf05e87001961df551f2afab98fc623caf4f4cd2fe2fb1e2767e87b0724a6a83c1dfbe27fb5e67217503b3cd0098bba78fc6d460d8a5bfe5b0db04e8834a6d5d561bbb884b2c182484057a71f6046ca15e67c4ed37649e234d6385ff92f0c22139338689a4cb44cccc21d47ac034cd6b1c04e7f3425d79efb463d766ba34161b4a7e24298231ec95ed7852967023261e5bac10f9043f2b7f3aac55047bb6d5ee0ec7cfbb6c5f2f502fd466cdd66c4e2c1b35f8548c23a8e70d8e2e0ac98bc2161adfe882b96a792a954549d74c9978d66c64537180bc53f76b8945c56bb783c24391cce0d25228a\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137856);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/13\");\n\n script_cve_id(\"CVE-2020-3336\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvt94558\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-tp-cmd-inj-7ZpWhvZb\");\n script_xref(name:\"IAVA\", value:\"2020-A-0280-S\");\n\n script_name(english:\"Cisco TelePresence Collaboration Endpoint and RoomOS Software Command Injection Vulnerability (cisco-sa-tp-cmd-inj-7ZpWhvZb)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, Cisco TelePresence CE Software is affected by a vulnerability. Please see the\nincluded Cisco BIDs and Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-cmd-inj-7ZpWhvZb\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c846154b\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt94558\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvt94558\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3336\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(78);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:telepresence_ce\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_telepresence_mcu_detect.nasl\");\n script_require_keys(\"Cisco/TelePresence_MCU/Device\", \"Cisco/TelePresence_MCU/Version\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\n\napp_name = 'Cisco TelePresence TC/CE software';\nversion = get_kb_item_or_exit('Cisco/TelePresence_MCU/Version');\n\nshort_version = pregmatch(pattern: \"^(TC|ce)(\\d+(?:\\.\\d+){0,2})\", string:version);\nif (isnull(short_version))\n audit(AUDIT_NOT_DETECT, app_name);\nelse\n{\n short_type = short_version[1];\n short_num = short_version[2];\n}\n\nfix = '';\nbugid = 'CSCvt94558';\n\nif (short_type == 'ce'){\n if (short_num =~ \"^([0-8]\\.|9\\.[0-8]($|[^0-9])|^9\\.9)\")\n fix = '9.9.4';\n else if (short_num =~ \"^9\\.10\\.\")\n fix = '9.10.2';\n else if (short_num =~ \"^9\\.12\\.\")\n fix = '9.12.3';\n}\nelse audit(AUDIT_NOT_DETECT, app_name);\n\nif (!empty_or_null(fix) && ver_compare(ver:short_num, fix:fix, strict:FALSE) < 0)\n{\n report = '\\n Installed Version : ' + version +\n '\\n Cisco Bug ID : ' + bugid +\n '\\n';\n\n security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2020-12-24T11:40:30", "bulletinFamily": "software", "cvelist": ["CVE-2020-3336"], "description": "A vulnerability in the software upgrade process of Cisco TelePresence Collaboration Endpoint Software and Cisco RoomOS Software could allow an authenticated, remote attacker to modify the filesystem to cause a denial of service (DoS) or gain privileged access to the root filesystem.\n\nThe vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by sending requests with malformed parameters to the system using the console, Secure Shell (SSH), or web API. A successful exploit could allow the attacker to modify the device configuration or cause a DoS.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-cmd-inj-7ZpWhvZb [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-cmd-inj-7ZpWhvZb\"]", "modified": "2020-06-17T16:00:00", "published": "2020-06-17T16:00:00", "id": "CISCO-SA-TP-CMD-INJ-7ZPWHVZB", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-cmd-inj-7ZpWhvZb", "type": "cisco", "title": "Cisco TelePresence Collaboration Endpoint and RoomOS Software Command Injection Vulnerability", "cvss": {"score": 7.2, "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "threatpost": [{"lastseen": "2020-10-15T22:18:04", "bulletinFamily": "info", "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3263", "CVE-2020-3336", "CVE-2020-3342", "CVE-2020-3347", "CVE-2020-3361"], "description": "Cisco is warning of three high-severity flaws in its popular Webex web conferencing app, including one that could allow an unauthenticated attacker to remotely execute code on impacted systems.\n\nBeyond Webex, the networking giant on Wednesday also patched a slew of bugs across several products, including its small business RV routers and TelePresence Collaboration Endpoint software. It\u2019s also investigating whether vulnerabilities affect other products.\n\nThe most severe flaw (CVE-2020-3342) exists in the Webex Meetings Desktop App for Mac and ranks 8.8 out of 10 on the CVSS scale. The flaw stems from an improper validation of cryptographic protections, on files that are downloaded by the application as part of a software update, according to Cisco.\n\n\u201cAn attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website,\u201d according to [Cisco\u2019s security update](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-client-mac-X7vp65BL>). \u201cThe client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the user.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nVersions of the Webex Meetings Desktop App for Mac app earlier than Release 39.5.11 are affected; a fix is available in releases 39.5.11 and later. Windows versions of the app are not affected.\n\nA second flaw (CVE-2020-3361), which ranks 8.1 out of 10 on the CVSS scale, could allow an unauthenticated, remote attacker to gain unauthorized access to a vulnerable Webex site. The vulnerability stems from improper handling of authentication tokens by a vulnerable Webex site.\n\n\u201cAn attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site,\u201d according to [Cisco\u2019s security update](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-token-zPvEjKN>). \u201cIf successful, the attacker could gain the privileges of another user within the affected Webex site.\u201d\n\nCisco Webex Meetings sites (releases WBS 39.5.25 and earlier, WBS 40.4.10 and earlier, or release WBS 40.6.0), and Cisco Webex Meetings Server (releases 4.0MR3 and earlier) are affected. The flaw has been fixed in Cisco Webex Meetings Server Release 4.0 MR3 Security Patch 1; Cisco said customers on Cisco hosted Webex Meetings sites do not need to take any actions to receive this update.\n\nThe [final Webex vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-client-url-fcmpdfVY>) exists in Cisco Webex Meetings Desktop App (releases earlier than Release 39.5.12), which could allow an unauthenticated, remote attacker to execute programs on an affected end-user system. This flaw (CVE-2020-3263) which ranks 7.5 out of 10 on the CVSS scale, is due to improper validation of input that is supplied to application URLs.\n\nA bad actor could exploit the glitch by persuading a user to follow a malicious URL. They could then cause an application to execute other programs that are already present on the end-user system. If malicious files are planted on the system or on an accessible network file path, the attacker could execute arbitrary code on the affected system, according to Cisco. Cisco Webex Meetings Desktop App releases earlier than Release 39.5.12; a fix is available in releases 40.1.0 and later.\n\nCisco also patched a medium-severity flaw (CVE-2020-3347) that could enable an authenticated, local attacker to gain access to sensitive information \u2013 including usernames, meeting information, or authentication tokens \u2013 on an affected system.\n\n\u201cIn an attack scenario, any malicious local user or malicious process running on a computer where WebEx Client for Windows is installed can monitor the memory mapped file for a login token,\u201d said Martin Rakhmanov with Trustwave\u2019s SpiderLabs research team, who discovered the flaw, in a [Thursday analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cisco-webex-memory-for-the-taking-cve-2020-3347/>). \u201cOnce found the token, like any leaked credentials, can be transmitted somewhere so that it can be used to login to the WebEx account in question, download Recordings, view/edit Meetings, etc.\u201d\n\n## **Remote Working Impact**\n\nThe disclosed vulnerabilities come at a time when Webex and other online conferencing apps are surging in popularity, as the coronavirus drives [more employees to work remotely](<https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/>).\n\n\u201cDue to the global pandemic of COVID-19, there\u2019s been an explosion of video conferencing and messaging software usage to help people transition their work-life to a work from home environment,\u201d said Rakhmanov. \u201cVulnerabilities in this type of software now present an even greater risk to its users.\u201d\n\nIn addition to Webex, Cisco also patched another type of collaboration tool; its Cisco TelePresence Collaboration Endpoint Software, used for conferencing meetings. According to Cisco, a high-severity flaw (CVE-2020-3336) in the software could allow a remote attacker to modify the filesystem to cause a denial of service (DoS) or gain privileged access to the root filesystem. The bad actor would need to be authenticated, however, which is in part why the bug only ranks 7.2 out of 10 on the CVSS scale.\n\n\u201cAn attacker with administrative privileges could exploit this vulnerability by sending requests with malformed parameters to the system using the console, Secure Shell (SSH), or web API,\u201d [according to Cisco](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-cmd-inj-7ZpWhvZb>). \u201cA successful exploit could allow the attacker to modify the device configuration or cause a DoS.\u201d\n\n## **Small Business Routers**\n\nCisco also patched several high-severity flaws in its [small business RV series routers](<https://www.cisco.com/c/en/us/products/routers/small-business-rv-series-routers/index.html>), which offer virtual private networking technology for remote workers at small businesses.\n\nThese fixes address vulnerabilities tied to [11 CVEs in the web-based management interface](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-stack-vUxHmnNz>) of Cisco Small Business RV320, RV325, RV016, RV042, and RV082 routers, which if exploited could allow an authenticated, remote attacker with administrative privileges to execute arbitrary code on an affected device.\n\nAlso patched were [two flaws in the web-based management interface](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-injection-tWC7krKQ>) of Cisco RV110W, RV130, RV130W, and RV215W Series Routers, which if exploited could enable a authenticated attacker (with administrative privileges) to execute arbitrary commands remotely.\n\nFlaws tied to six CVEs [were also patched](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-Rj5JRfF8>) in the web-based management interface of Cisco Small Business RV320, RV325, RV016, RV042, and RV082 Routers. If exploited these could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system.\n\nCisco\u2019s Wednesday slew of security updates also addressed the [critical \u201cRipple20\u201d flaws](<https://threatpost.com/millions-connected-devices-ripple20-bugs/156599/>) that were disclosed on Monday. The 19 different vulnerabilities, four of them critical, affect hundreds of millions of internet of things (IoT) and industrial-control devices.\n\nCisco said it is currently investigating the Cisco ASR 5000 Series Router, Cisco Home Node-B Gateway, Cisco IP Services Gateway (IPSG) and Cisco PDSN/HA Packet Data Serving Node and Home Agent to see if they are affected by the flaws.\n\n\u201cCisco is investigating its product line to determine which products may be affected by these vulnerabilities,\u201d [according to the advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-treck-ip-stack-JyBQ5GyC>). \u201cAs the investigation progresses, Cisco will update this advisory with information about affected products.\u201d\n\n**_Insider threats are different in the work-from home era. On _**[**_June 24 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, \u201c_**_**The Enemy Within: How Insider Threats Are Changing.\u201d **_**_Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it_**_**. **_[**_Please register here_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_ for this Threatpost webinar._**\n\nWrite a comment\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "modified": "2020-06-18T16:18:12", "published": "2020-06-18T16:18:12", "id": "THREATPOST:8207D062CD4838B19CB8398D9259D2CC", "href": "https://threatpost.com/cisco-webex-router-code-execution/156706/", "type": "threatpost", "title": "Cisco Webex, Router Bugs Allow Code Execution", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
