First published: Sun Jan 26 2020(Updated: )
A vulnerability in the out of band (OOB) management interface IP table rule programming for Cisco Application Policy Infrastructure Controller (APIC) could allow an unauthenticated, remote attacker to bypass configured deny entries for specific IP ports. These IP ports would be permitted to the OOB management interface when, in fact, the packets should be dropped. The vulnerability is due to the configuration of specific IP table entries for which there is a programming logic error that results in the IP port being permitted. An attacker could exploit this vulnerability by sending traffic to the OOB management interface on the targeted device. A successful exploit could allow the attacker to bypass configured IP table rules to drop specific IP port traffic. The attacker has no control over the configuration of the device itself. This vulnerability affects Cisco APIC releases prior to the first fixed software Release 4.2(3j).
Credit: ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco Application Policy Infrastructure Controller | <4.2\(3j\) |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-3139 is a vulnerability in the out of band (OOB) management interface IP table rule programming for Cisco Application Policy Infrastructure Controller (APIC) that could allow an unauthenticated, remote attacker to bypass deny entries for specific IP ports.
The severity of CVE-2020-3139 is medium with a CVSS score of 5.3.
CVE-2020-3139 affects Cisco Application Policy Infrastructure Controller by allowing an attacker to bypass deny entries for specific IP ports on the out of band (OOB) management interface.
An attacker can exploit CVE-2020-3139 by sending specially crafted requests to the vulnerable OOB management interface of Cisco APIC.
Yes, Cisco has released software updates to address the vulnerability. Please refer to the official Cisco Security Advisory for more information.