A vulnerability in the Enable Secret feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an authenticated, local attacker to issue the enable command and get full administrative privileges. To exploit this vulnerability, the attacker would need to have valid credentials for the affected device. The vulnerability is due to a logic error in the implementation of the enable command. An attacker could exploit this vulnerability by logging in to the device and issuing the enable command. A successful exploit could allow the attacker to gain full administrative privileges without using the enable password. Note: The Enable Secret feature is disabled by default.
{"cisco": [{"lastseen": "2022-03-23T01:37:32", "description": "A vulnerability in the Enable Secret feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an authenticated, local attacker to issue the enable command and get full administrative privileges. To exploit this vulnerability, the attacker would need to have valid credentials for the affected device.\n\nThe vulnerability is due to a logic error in the implementation of the enable command. An attacker could exploit this vulnerability by logging in to the device and issuing the enable command. A successful exploit could allow the attacker to gain full administrative privileges without using the enable password.\n\nNote: The Enable Secret feature is disabled by default.\n\nCisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n3n9k-priv-escal-3QhXJBC [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n3n9k-priv-escal-3QhXJBC\"]\n\nThis advisory is part of the August 2020 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication, which includes seven Cisco Security Advisories that describe seven vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: August 2020 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication [\"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74239\"].", "cvss3": {}, "published": "2020-08-26T16:00:00", "type": "cisco", "title": "Cisco Nexus 3000 and 9000 Series Switches Privilege Escalation Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-3394"], "modified": "2020-08-26T20:59:18", "id": "CISCO-SA-N3N9K-PRIV-ESCAL-3QHXJBC", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n3n9k-priv-escal-3QhXJBC", "cvss": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "nessus": [{"lastseen": "2022-02-19T12:21:04", "description": "According to its self-reported version, Cisco NX-OS Software is affected by a vulnerability in the Enable Secret feature due to a logic error in the implementation of the enable command. An authenticated, local attacker can exploit this, by logging in to the device and issuing the enable command, in order to gain full administrative privileges without using the enable password.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-09-01T00:00:00", "type": "nessus", "title": "Cisco Nexus 3000 and 9000 Series Switches Privilege Escalation (cisco-sa-n3n9k-priv-escal-3QhXJBC)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-3394"], "modified": "2020-10-12T00:00:00", "cpe": ["cpe:/o:cisco:nx-os"], "id": "CISCO-SA-N3N9K-PRIV-ESCAL-3QHXJBC.NASL", "href": "https://www.tenable.com/plugins/nessus/140097", "sourceData": "#TRUSTED 9f566fe9f63a4a9da784f9a062cd58810360cf524ca6d48f6ed0555e1a6e0f5feeb014c636aed00197f58aa4998ed63feb1b40aab52a555691cf154672b122ace2cab05038d53051763053bc53e3abd9cb84049c503ab838391e3b79950bac3389cfc6a584335582cff2d6ab420238724499e7e6c099a95aeb2a712eb436214070579d33e832db402aae24a0d1052e57adb1cae6f0d72860b6b8d96625bc9ad41356cd0f063ab6e67591048df7ec568025085f517ba98cd1e7d1599b6d9efd16fa5e78addff1e5394295d084b3e38ae07a3f2ef3f6553660e21f15c1d978b9c29fae8603fcad660e583228b0ead7e50a451eeefb0b3a25db347163f3a59481e8f7dc49d42c1d61f2de4e4d0bd550484fca03bf1c13e7bbf00d0e2486ddb988badeb8cf2bd4ddc733cfa97071f5730f84ac4d570d82f4e82a4b26099cb36dd5132315753a1d1acfa3528cd3f508ca51d55c762313a7bf8db13ad339af7c22820a2c2f3ee633dfcb3ce902cbc40fe2335a61526f0fafa5f8c30e84d4e244712bc652642d2c8b43bfdbc5fdbe93c00b50c61ae5061103dff2da935f5ad63a088b48a1cf8ac6336b7e40584b882813a3c859d8c1571b79a12f66f751a08607103670e3713bfb1324dd21cb718c6eda8f10b21dc284b434c843baf97959a0ddeeb4e8b14f36b3f7659f2ddfad5a609cf545f3f06ca1c0c916b5604f971a6c206d95ac\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140097);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/12\");\n\n script_cve_id(\"CVE-2020-3394\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvt77885\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-n3n9k-priv-escal-3QhXJBC\");\n script_xref(name:\"IAVA\", value:\"2020-A-0394\");\n\n script_name(english:\"Cisco Nexus 3000 and 9000 Series Switches Privilege Escalation (cisco-sa-n3n9k-priv-escal-3QhXJBC)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, Cisco NX-OS Software is affected by a vulnerability in the Enable Secret\nfeature due to a logic error in the implementation of the enable command. An authenticated, local attacker can exploit\nthis, by logging in to the device and issuing the enable command, in order to gain full administrative privileges\nwithout using the enable password.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n3n9k-priv-escal-3QhXJBC\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c634fbd\");\n script_set_attribute(attribute:\"see_also\", value:\"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74239\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt77885\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvt77885\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3394\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(285);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:nx-os\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_nxos_version.nasl\");\n script_require_keys(\"Host/Cisco/NX-OS/Version\", \"Host/Cisco/NX-OS/Model\", \"Host/Cisco/NX-OS/Device\");\n\n exit(0);\n}\n\ninclude('cisco_workarounds.inc');\ninclude('ccf.inc');\n\nproduct_info = cisco::get_product_info(name:'Cisco NX-OS Software');\n\nif ('Nexus' >!< product_info.device || product_info.model !~ \"^[39][0-9]{3}\")\n audit(AUDIT_HOST_NOT, 'an affected model');\n\n# not 9k in ACI mode\nif (!(empty_or_null(get_kb_list('Host/aci/*'))))\n audit(AUDIT_HOST_NOT, 'an affected model due to ACI mode');\n\nversion_list=make_list(\n '9.2(1)',\n '9.2(2)',\n '9.2(2t)',\n '9.2(2v)',\n '9.2(3)',\n '9.2(3y)',\n '9.2(4)',\n '9.3(1)',\n '9.3(1z)',\n '9.3(2)',\n '9.3(3)'\n);\n\nworkarounds = make_list(CISCO_WORKAROUNDS['feature_privilege'], CISCO_WORKAROUNDS['enable_secret']);\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCvt77885',\n 'cmds' , make_list('show running-config')\n);\n\ncisco::check_and_report(\n product_info:product_info,\n reporting:reporting,\n vuln_versions:version_list,\n workarounds:workarounds,\n require_all_workarounds:TRUE\n);\n\n\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2020-3394
