CVE-2020-3407: Cisco IOS XE Software RESTCONF and NETCONF-YANG Access Control List Denial of Service Vulnerability
First published: Thu Sep 24 2020(Updated: )
A vulnerability in the RESTCONF and NETCONF-YANG access control list (ACL) function of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload. The vulnerability is due to incorrect processing of the ACL that is tied to the RESTCONF or NETCONF-YANG feature. An attacker could exploit this vulnerability by accessing the device using RESTCONF or NETCONF-YANG. A successful exploit could allow an attacker to cause the device to reload, resulting in a denial of service (DoS) condition.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco IOS XE Web UI | =15.8\(3\)m3 | |
| Cisco 1100-4g/6g Integrated Services Router | ||
| Cisco 1100 Integrated Services Router | ||
| Cisco 1100 Integrated Services Router | ||
| Cisco 1109-4p Integrated Services Router | ||
| Cisco 1100 Integrated Services Router | ||
| Cisco 1100 Integrated Services Router | ||
| Cisco 1100 Integrated Services Router | ||
| Cisco 1100 Series Integrated Services Router | ||
| Cisco 1101 Integrated Services Router | ||
| Cisco 1101 Integrated Services Router | ||
| Cisco 1109 Integrated Services Router | ||
| Cisco 1109 Integrated Services Router | ||
| Cisco 1109 Integrated Services Router | ||
| Cisco 1111x-8p | ||
| Cisco 111x Integrated Services Router | ||
| Cisco 111x Integrated Services Router | ||
| Cisco 1120 Integrated Services Router | ||
| Cisco 1160 Integrated Services Router | ||
| Cisco 4221 Integrated Services Router | ||
| Cisco 4331/k9-rf Integrated Services Router | ||
| Cisco 4431 Integrated Services Router | ||
| Cisco 4451-X Integrated Services Router | ||
| Cisco 4441 Integrated Services Router | ||
| Cisco ASR 1000 series software | ||
| Cisco ASR 1001 | ||
| Cisco ASR 1001-X | ||
| Cisco ASR 1002 Fixed Router | ||
| Cisco ASR 1002-X | ||
| Cisco ASR 1004 | ||
| Cisco ASR 1006 | ||
| Cisco ASR 1013 | ||
| Cisco ASR 1001-HX | ||
| Cisco ASR 1001-HX-RF | ||
| Cisco ASR 1001-X | ||
| Cisco ASR 1001-X | ||
| Cisco ASR 1002-HX | ||
| Cisco ASR 1002-HX | ||
| Cisco ASR 1002-HX | ||
| Cisco ASR 1002-X | ||
| Cisco ASR 1002-X | ||
| Cisco Catalyst 9800-40 | ||
| Cisco Catalyst 9800-80 | ||
| Cisco Catalyst 9800-CL | ||
| Cisco Catalyst 9800-L | ||
| Cisco Catalyst 9800-L | ||
| Cisco Catalyst 9800-L | ||
| Cisco Catalyst C9200 | ||
| Cisco Catalyst 9200 Series | ||
| Cisco Catalyst C9200-48P | ||
| Cisco Catalyst 9200 Series | ||
| Cisco Catalyst C9200L-24P-4G | ||
| Cisco Catalyst C9200L-24P-4X | ||
| Cisco Catalyst C9200L-24PXG-2Y | ||
| Cisco Catalyst C9200L-24PXG-4X | ||
| Cisco Catalyst C9200L-24T-4G | ||
| Cisco Catalyst C9200L-24T-4X | ||
| Cisco Catalyst C9200L-48P-4G | ||
| Cisco Catalyst C9200L-48P-4X | ||
| Cisco Catalyst C9200L-48PXG-2Y | ||
| Cisco Catalyst C9200L-48PXG-4X | ||
| Cisco Catalyst C9200L-48T-4G | ||
| Cisco Catalyst C9200L-48T-4X | ||
| Cisco Catalyst C9300-24P | ||
| Cisco Catalyst C9300 | ||
| Cisco Catalyst 9300-24T-A | ||
| Cisco Catalyst C9300-24U | ||
| Cisco Catalyst 9300-24UX | ||
| Cisco Catalyst C9300-48P | ||
| Cisco Catalyst C9300 | ||
| Cisco Catalyst C9300 | ||
| Cisco Catalyst 9300-48U | ||
| Cisco Catalyst C9300 Series | ||
| Cisco Catalyst C9300-48UXM | ||
| Cisco Catalyst C9300 | ||
| Cisco Catalyst C9300L-24P-4X | ||
| Cisco Catalyst 9300L-24T-4G | ||
| Cisco Catalyst 9300 | ||
| Cisco Catalyst C9300L-48P-4G | ||
| Cisco Catalyst 9300 Series Switches | ||
| Cisco Catalyst C9300 | ||
| Cisco Catalyst C9300L-48T-4X | ||
| Cisco Catalyst C9404R | ||
| Cisco Catalyst 9407R | ||
| Cisco Catalyst 9410R | ||
| Cisco Catalyst 9500 | ||
| Cisco Catalyst 9500 | ||
| Cisco Catalyst 9500 | ||
| Cisco Catalyst C9500-24Y4C | ||
| Cisco Catalyst 9500 | ||
| Cisco Catalyst C9500-32QC | ||
| Cisco Catalyst C9500-40x | ||
| Cisco Catalyst C9500-48Y4C | ||
| Cisco Cloud Services Router 1000V | ||
| Cisco Catalyst 3650 Series Switches | ||
| Cisco Catalyst 3650-12X48UR | ||
| Cisco Catalyst 3650 Series Switch | ||
| Cisco Catalyst 3650 Series Switch | ||
| Cisco Catalyst 3650 24 Port PoE Switch (WS-C3650-24PD) | ||
| Cisco Catalyst 3650-24PS | ||
| Cisco Catalyst 3650-24TD Switch | ||
| Cisco Catalyst 3650-24TS | ||
| Cisco Catalyst 3650 Series Switch | ||
| Cisco Catalyst 3650-48FQ Switch | ||
| Cisco Catalyst 3650-48FQM Switch | ||
| Cisco Catalyst 3650 Series Switch WS-C3650-48FS | ||
| Cisco Catalyst 3650-48PD | ||
| Cisco Catalyst 3650 Series Switches | ||
| Cisco Catalyst 3650-48PS | ||
| Cisco Catalyst 3650 Series Switches | ||
| Cisco Catalyst 3650 48TQ | ||
| Cisco Catalyst 3650-48TS Switch | ||
| Cisco Catalyst 3650-8X24UQ | ||
| Cisco Catalyst 3850 | ||
| Cisco Catalyst 3850 Series Switches | ||
| Cisco Catalyst 3850 Series Switch | ||
| Cisco Catalyst 3850 Switch (model WS-C3850-12XS) | ||
| Cisco Catalyst 3850 Series Switch | ||
| Cisco Catalyst 3850 Series Switches | ||
| Cisco Catalyst 3850 | ||
| Cisco Catalyst 3850 Series Switch | ||
| Cisco Catalyst 3850 Switch | ||
| Cisco Catalyst 3850-24XU | ||
| Cisco Catalyst 3850 48F Switch | ||
| Cisco Catalyst 3850 48 Port PoE Switch | ||
| Cisco Catalyst 3850 Series Switches | ||
| Cisco Catalyst 3850-48U | ||
| Cisco Catalyst 3850 Series Switches |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-3407?
CVE-2020-3407 has a severity rating of high due to its potential impact on device availability.
How do I fix CVE-2020-3407?
To mitigate CVE-2020-3407, update your Cisco IOS XE software to a fixed version as recommended by Cisco.
What Cisco devices are affected by CVE-2020-3407?
CVE-2020-3407 affects multiple versions of Cisco IOS XE software, specifically 15.8(3)m3.
What type of attack could exploit CVE-2020-3407?
An unauthenticated remote attacker could exploit CVE-2020-3407 to cause the affected device to reload.
Is there a workaround for CVE-2020-3407 until I can update?
Currently, there are no published workarounds for CVE-2020-3407; updating to a fixed version is recommended.
- agent/type
- agent/references
- agent/severity
- agent/title
- agent/weakness
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/cisco
- canonical/cisco ios xe web ui
- version/cisco ios xe web ui/15.8\(3\)m3
- canonical/cisco 1100-4g/6g integrated services router
- canonical/cisco 1100 integrated services router
- canonical/cisco 1109-4p integrated services router
- canonical/cisco 1100 series integrated services router
- canonical/cisco 1101 integrated services router
- canonical/cisco 1109 integrated services router
- canonical/cisco 1111x-8p
- canonical/cisco 111x integrated services router
- canonical/cisco 1120 integrated services router
- canonical/cisco 1160 integrated services router
- canonical/cisco 4221 integrated services router
- canonical/cisco 4331/k9-rf integrated services router
- canonical/cisco 4431 integrated services router
- canonical/cisco 4451-x integrated services router
- canonical/cisco 4441 integrated services router
- canonical/cisco asr 1000 series software
- canonical/cisco asr 1001
- canonical/cisco asr 1001-x
- canonical/cisco asr 1002 fixed router
- canonical/cisco asr 1002-x
- canonical/cisco asr 1004
- canonical/cisco asr 1006
- canonical/cisco asr 1013
- canonical/cisco asr 1001-hx
- canonical/cisco asr 1001-hx-rf
- canonical/cisco asr 1002-hx
- canonical/cisco catalyst 9800-40
- canonical/cisco catalyst 9800-80
- canonical/cisco catalyst 9800-cl
- canonical/cisco catalyst 9800-l
- canonical/cisco catalyst c9200
- canonical/cisco catalyst 9200 series
- canonical/cisco catalyst c9200-48p
- canonical/cisco catalyst c9200l-24p-4g
- canonical/cisco catalyst c9200l-24p-4x
- canonical/cisco catalyst c9200l-24pxg-2y
- canonical/cisco catalyst c9200l-24pxg-4x
- canonical/cisco catalyst c9200l-24t-4g
- canonical/cisco catalyst c9200l-24t-4x
- canonical/cisco catalyst c9200l-48p-4g
- canonical/cisco catalyst c9200l-48p-4x
- canonical/cisco catalyst c9200l-48pxg-2y
- canonical/cisco catalyst c9200l-48pxg-4x
- canonical/cisco catalyst c9200l-48t-4g
- canonical/cisco catalyst c9200l-48t-4x
- canonical/cisco catalyst c9300-24p
- canonical/cisco catalyst c9300
- canonical/cisco catalyst 9300-24t-a
- canonical/cisco catalyst c9300-24u
- canonical/cisco catalyst 9300-24ux
- canonical/cisco catalyst c9300-48p
- canonical/cisco catalyst 9300-48u
- canonical/cisco catalyst c9300 series
- canonical/cisco catalyst c9300-48uxm
- canonical/cisco catalyst c9300l-24p-4x
- canonical/cisco catalyst 9300l-24t-4g
- canonical/cisco catalyst 9300
- canonical/cisco catalyst c9300l-48p-4g
- canonical/cisco catalyst 9300 series switches
- canonical/cisco catalyst c9300l-48t-4x
- canonical/cisco catalyst c9404r
- canonical/cisco catalyst 9407r
- canonical/cisco catalyst 9410r
- canonical/cisco catalyst 9500
- canonical/cisco catalyst c9500-24y4c
- canonical/cisco catalyst c9500-32qc
- canonical/cisco catalyst c9500-40x
- canonical/cisco catalyst c9500-48y4c
- canonical/cisco cloud services router 1000v
- canonical/cisco catalyst 3650 series switches
- canonical/cisco catalyst 3650-12x48ur
- canonical/cisco catalyst 3650 series switch
- canonical/cisco catalyst 3650 24 port poe switch (ws-c3650-24pd)
- canonical/cisco catalyst 3650-24ps
- canonical/cisco catalyst 3650-24td switch
- canonical/cisco catalyst 3650-24ts
- canonical/cisco catalyst 3650-48fq switch
- canonical/cisco catalyst 3650-48fqm switch
- canonical/cisco catalyst 3650 series switch ws-c3650-48fs
- canonical/cisco catalyst 3650-48pd
- canonical/cisco catalyst 3650-48ps
- canonical/cisco catalyst 3650 48tq
- canonical/cisco catalyst 3650-48ts switch
- canonical/cisco catalyst 3650-8x24uq
- canonical/cisco catalyst 3850
- canonical/cisco catalyst 3850 series switches
- canonical/cisco catalyst 3850 series switch
- canonical/cisco catalyst 3850 switch (model ws-c3850-12xs)
- canonical/cisco catalyst 3850 switch
- canonical/cisco catalyst 3850-24xu
- canonical/cisco catalyst 3850 48f switch
- canonical/cisco catalyst 3850 48 port poe switch
- canonical/cisco catalyst 3850-48u