Lucene search

LenovoCVELIST:CVE-2020-8349

HistoryOct 14, 2020 - 9:25 p.m.

CVE-2020-8349

2020-10-1421:25:21

CWE-20

lenovo

www.cve.org

cnos

rest api

unauthenticated remote code execution

vulnerability

management interface

vrf

acls

lenovo

upgrade

disabling

restricting access

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.006

Percentile

78.6%

JSON

An internal security review has identified an unauthenticated remote code execution vulnerability in Cloud Networking Operating System (CNOS)’ optional REST API management interface. This interface is disabled by default and not vulnerable unless enabled. When enabled, it is only vulnerable where attached to a VRF and as allowed by defined ACLs. Lenovo strongly recommends upgrading to a non-vulnerable CNOS release. Where not possible, Lenovo recommends disabling the REST API management interface or restricting access to the management VRF and further limiting access to authorized management stations via ACL.

CNA Affected

[
  {
    "product": "Cloud Networking Operating System (CNOS)",
    "vendor": "Lenovo",
    "versions": [
      {
        "lessThan": "10.10.6.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

support.lenovo.com/us/en/product_security/LEN-44423

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.006

Percentile

78.6%

JSON

Related for CVELIST:CVE-2020-8349