Lucene search

[email protected]NVD:CVE-2020-8349

HistoryOct 14, 2020 - 10:15 p.m.

CVE-2020-8349

2020-10-1422:15:13

CWE-20

CWE-94

[email protected]

web.nvd.nist.gov

security review

remote code execution

cnos

rest api

vulnerability

lenovo

upgrade

acl

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.006

Percentile

78.6%

JSON

An internal security review has identified an unauthenticated remote code execution vulnerability in Cloud Networking Operating System (CNOS)’ optional REST API management interface. This interface is disabled by default and not vulnerable unless enabled. When enabled, it is only vulnerable where attached to a VRF and as allowed by defined ACLs. Lenovo strongly recommends upgrading to a non-vulnerable CNOS release. Where not possible, Lenovo recommends disabling the REST API management interface or restricting access to the management VRF and further limiting access to authorized management stations via ACL.

Affected configurations

Nvd

Node

lenovocloud_networking_operating_systemRange<10.10.6.0

AND

lenovorackswitch_g8272Match-

lenovorackswitch_g8296Match-

lenovorackswitch_g8332Match-

lenovorackswitch_ne0152tMatch-

lenovorackswitch_ne10032Match-

lenovorackswitch_ne1032Match-

lenovorackswitch_ne1032tMatch-

lenovorackswitch_ne1072tMatch-

lenovorackswitch_ne2572Match-

VendorProductVersionCPE
lenovocloud_networking_operating_system*cpe:2.3:o:lenovo:cloud_networking_operating_system:*:*:*:*:*:*:*:*
lenovorackswitch_g8272-cpe:2.3:h:lenovo:rackswitch_g8272:-:*:*:*:*:*:*:*
lenovorackswitch_g8296-cpe:2.3:h:lenovo:rackswitch_g8296:-:*:*:*:*:*:*:*
lenovorackswitch_g8332-cpe:2.3:h:lenovo:rackswitch_g8332:-:*:*:*:*:*:*:*
lenovorackswitch_ne0152t-cpe:2.3:h:lenovo:rackswitch_ne0152t:-:*:*:*:*:*:*:*
lenovorackswitch_ne10032-cpe:2.3:h:lenovo:rackswitch_ne10032:-:*:*:*:*:*:*:*
lenovorackswitch_ne1032-cpe:2.3:h:lenovo:rackswitch_ne1032:-:*:*:*:*:*:*:*
lenovorackswitch_ne1032t-cpe:2.3:h:lenovo:rackswitch_ne1032t:-:*:*:*:*:*:*:*
lenovorackswitch_ne1072t-cpe:2.3:h:lenovo:rackswitch_ne1072t:-:*:*:*:*:*:*:*
lenovorackswitch_ne2572-cpe:2.3:h:lenovo:rackswitch_ne2572:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
lenovo	cloud_networking_operating_system	*	cpe:2.3:o:lenovo:cloud_networking_operating_system::::::::
lenovo	rackswitch_g8272	-	cpe:2.3:h:lenovo:rackswitch_g8272:-:::::::*
lenovo	rackswitch_g8296	-	cpe:2.3:h:lenovo:rackswitch_g8296:-:::::::*
lenovo	rackswitch_g8332	-	cpe:2.3:h:lenovo:rackswitch_g8332:-:::::::*
lenovo	rackswitch_ne0152t	-	cpe:2.3:h:lenovo:rackswitch_ne0152t:-:::::::*
lenovo	rackswitch_ne10032	-	cpe:2.3:h:lenovo:rackswitch_ne10032:-:::::::*
lenovo	rackswitch_ne1032	-	cpe:2.3:h:lenovo:rackswitch_ne1032:-:::::::*
lenovo	rackswitch_ne1032t	-	cpe:2.3:h:lenovo:rackswitch_ne1032t:-:::::::*
lenovo	rackswitch_ne1072t	-	cpe:2.3:h:lenovo:rackswitch_ne1072t:-:::::::*
lenovo	rackswitch_ne2572	-	cpe:2.3:h:lenovo:rackswitch_ne2572:-:::::::*

References

support.lenovo.com/us/en/product_security/LEN-44423

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.006

Percentile

78.6%

JSON

Related for NVD:CVE-2020-8349

cvelist1 lenovo2 cve1 prion1