CVE-2024-20286: Cisco NX-OS Software Python Parser Escape Vulnerability
First published: Wed Aug 28 2024(Updated: )
A vulnerability in the Python interpreter of Cisco NX-OS Software could allow an authenticated, low-privileged, local attacker to escape the Python sandbox and gain unauthorized access to the underlying operating system of the device. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by manipulating specific functions within the Python interpreter. A successful exploit could allow an attacker to escape the Python sandbox and execute arbitrary commands on the underlying operating system with the privileges of the authenticated user. Note: An attacker must be authenticated with Python execution privileges to exploit these vulnerabilities. For more information regarding Python execution privileges, see product-specific documentation, such as the section of the Cisco Nexus 9000 Series NX-OS Programmability Guide.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Cisco NX-OS | =9.3\(13\) | |
| Any of | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 92304qc | ||
| Cisco Nexus 9000 Series n9k-c9232c | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Series N9K-C93108TC-EX | ||
| Cisco Nexus 9000 Series Switch | ||
| Cisco Nexus 93120TX | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Series N9K-C9316D-GX | ||
| Cisco Nexus 9000 Series Switch - C93180LC-EX | ||
| Cisco Nexus 93180YC-EX | ||
| Cisco Nexus 93360YC-FX2 | ||
| Cisco Nexus 9000 Series Switch n9k-c93180yc-fx | ||
| Cisco Nexus 93216TC-FX2 | ||
| Cisco Nexus 93240YC-FX2 | ||
| Cisco Nexus 9000 Series N9K-C9332C | ||
| Cisco Nexus 9332D-GX2B | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 93360YC-FX2 | ||
| Cisco Nexus 9336C-FX2 | ||
| Cisco Nexus 9348D-GX2A | ||
| Cisco Nexus 9000 Series Switch n9k-c9348gc-fxp | ||
| Cisco Nexus 9000 Series Switch N9K-C93600CD-GX | ||
| Cisco Nexus 9000 Series N9K-C9364C | ||
| Cisco Nexus 9364C-GX | ||
| Cisco Nexus 9364D-GX2A | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9372TX-E | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9500 Series | ||
| Cisco Nexus 9508 | ||
| Cisco Nexus N9K-C9508-FM-R | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Supervisor B | ||
| Cisco Nexus 9000 Series Supervisor Module B | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 N9K-X9400 | ||
| Cisco Nexus 9000 Series Switches | ||
| Cisco Nexus 9000 Series N9K-X9432C-S | ||
| Cisco Nexus 9000 Series N9K-X9464PX | ||
| Cisco N9K-X9464TX2 Firmware | ||
| Cisco N9K-X9564PX | ||
| Cisco N9K-X9564TX | ||
| Cisco x96136yc-r | ||
| Cisco Nexus 9636C-R | ||
| Cisco Nexus n9k-x9636c-rx | ||
| Cisco Nexus N9K-X9636Q-R | ||
| Cisco Nexus 9000 N9K-X97160YC-EX | ||
| Cisco N9K series switches | ||
| Cisco Nexus 9000 Series Switches n9k-x9732c-ex | ||
| Cisco Nexus 9000 Series N9K-X9732C-FX | ||
| Cisco Nexus 9000 Series Switch n9k-x9736c-ex | ||
| Cisco Nexus 9000 Series Switch | ||
| Cisco Nexus 9000 Series Switch n9k-x9788tc-fx | ||
| Cisco Nexus 3000 | ||
| Cisco Nexus 3000 | ||
| Cisco Nexus 3016Q Firmware | ||
| Cisco Nexus 3016Q Firmware | ||
| Cisco Nexus 3048 Firmware | ||
| Cisco Nexus 3064 Firmware | ||
| Cisco Nexus 3064 | ||
| Cisco Nexus 3064 | ||
| Cisco Nexus 3064x | ||
| Cisco Nexus 3064 | ||
| Cisco Nexus 3064-X Firmware | ||
| Cisco Nexus 3100 Firmware | ||
| Cisco Nexus 3100V Firmware | ||
| Cisco Nexus 3100-Z firmware | ||
| Cisco Nexus 3100V Firmware | ||
| Cisco Nexus 31108PC-V Firmware | ||
| Cisco Nexus 31108PV-V Firmware | ||
| Cisco Nexus 31108TC-V Firmware | ||
| Cisco Nexus 31128PQ | ||
| Cisco Nexus 3132C-Z Firmware | ||
| Cisco Nexus 3132Q-XL | ||
| Cisco Nexus 3132Q-V Firmware | ||
| Cisco Nexus 3132Q-X/3132Q-XL | ||
| Cisco Nexus 3132Q-X/3132Q-XL | ||
| Cisco Nexus 3132Q-XL Firmware | ||
| Cisco Nexus 3164Q Firmware | ||
| Cisco Nexus 3172 Firmware | ||
| Cisco Nexus 3172PQ/PQ-XL | ||
| Cisco Nexus 3172PQ-XL Firmware | ||
| Cisco Nexus 3172PQ/PQ-XL | ||
| Cisco Nexus 3172TQ Firmware | ||
| Cisco Nexus 3172TQ-XL | ||
| Cisco Nexus 3172TQ-XL Firmware | ||
| Cisco Nexus 3200 | ||
| Cisco Nexus 3232 | ||
| Cisco Nexus 3232C | ||
| Cisco Nexus 3232C | ||
| Cisco Nexus 3264C-E Firmware | ||
| Cisco Nexus 3264Q Firmware | ||
| Cisco Nexus 3400 Firmware | ||
| Cisco Nexus 3408-S Firmware | ||
| Cisco Nexus 34180YC Firmware | ||
| Cisco Nexus 34200YC-SM Firmware | ||
| Cisco Nexus 3432D-S Firmware | ||
| Cisco Nexus 3464C Firmware | ||
| Cisco Nexus 3500 Platform | ||
| Cisco Nexus 3500 Platform Firmware | ||
| Cisco Nexus 3524-xl | ||
| Cisco Nexus 3524-xl | ||
| Cisco Nexus 3524-x/xl | ||
| Cisco Nexus 3524-XL Firmware | ||
| Cisco Nexus 3548-X/XL Firmware | ||
| Cisco Nexus 3548-X/XL | ||
| Cisco Nexus 3548-x/xl | ||
| Cisco Nexus 3548-X/XL | ||
| Cisco Nexus 3600 Firmware | ||
| Cisco Nexus 36180YC-R Firmware | ||
| Cisco Nexus 3636C-R Firmware | ||
| Cisco Nexus 9000 Firmware | ||
| Cisco Nexus 9000 in ACI mode | ||
| Cisco Nexus 9000 | ||
| Cisco Nexus 9000 in standalone | ||
| Cisco NX-OS Nexus 9000 Series | ||
| Cisco Nexus 9200 firmware | ||
| Cisco Nexus 9200 | ||
| Cisco Nexus 92160YC Switch | ||
| Cisco Nexus 92160YC-X Firmware | ||
| Cisco Nexus 9221C Firmware | ||
| Cisco Nexus 92300YC Firmware | ||
| Cisco Nexus 92300YC Firmware | ||
| Cisco Nexus 92304QC Switch | ||
| Cisco Nexus 92304qc | ||
| Cisco Nexus 9232E | ||
| Cisco Nexus 92348GC-X Switch | ||
| Cisco Nexus 9236C Switch | ||
| Cisco Nexus 9236c | ||
| Cisco Nexus 9272Q Switch | ||
| Cisco Nexus 9272Q Switch | ||
| Cisco Nexus 9300 Firmware | ||
| Cisco Nexus | ||
| Cisco Nexus 93108TC-EX-24 Firmware | ||
| Cisco Nexus 93108TC-EX-24 | ||
| Cisco Nexus 93108TC-FX Switch | ||
| Cisco Nexus 93108TC-FX Switch | ||
| Cisco Nexus 93108TC-FX3 | ||
| Cisco Nexus 93108TC-FX3 | ||
| Cisco Nexus 93108TC-FX3P Firmware | ||
| Cisco Nexus 93120TX Firmware | ||
| Cisco Nexus 93120TX | ||
| Cisco Nexus 93128 Firmware | ||
| Cisco Nexus 93128 Firmware | ||
| Cisco Nexus 93128tx | ||
| Cisco Nexus 9316D-GX Firmware | ||
| Cisco Nexus 93180LC-EX Switch | ||
| Cisco Nexus 9000 Series Switch | ||
| Cisco Nexus 93180TC-EX Firmware | ||
| Cisco Nexus 93180YC-EX-24 | ||
| Cisco Nexus 93180YC-EX-24 Firmware | ||
| Cisco Nexus 93180YC-EX-24 | ||
| Cisco Nexus 93180YC-FX Firmware | ||
| Cisco Nexus 93180YC-FX-24 Firmware | ||
| Cisco Nexus 93180YC-FX3 Firmware | ||
| Cisco Nexus 93180YC-FX3H | ||
| Cisco Nexus 93180YC-FX3S Firmware | ||
| Cisco Nexus 93216TC-FX2 Firmware | ||
| Cisco Nexus 93240TC-FX2 | ||
| Cisco Nexus 93240YC-FX2 Firmware | ||
| Cisco Nexus 9332C Firmware | ||
| Cisco Nexus 9332D-GX2B Firmware | ||
| Cisco Nexus 9332D-H2R | ||
| Cisco Nexus 9332PQ Firmware | ||
| Cisco Nexus 9332pq | ||
| Cisco Nexus 93360YC-FX2 | ||
| Cisco Nexus 9336C-FX2 Firmware | ||
| Cisco Nexus 9336C-FX2-E Firmware | ||
| Cisco Nexus N9336PQ | ||
| Cisco Nexus 9336PQ ACI Spine Switch | ||
| Cisco Nexus N9336PQ-X | ||
| Cisco Nexus 9336PQ | ||
| Cisco Nexus 93400LD-H1 | ||
| Cisco Nexus 9348D-GX2A | ||
| Cisco Nexus 9348GC-FX3 | ||
| Cisco Nexus 9348GC-FX3PH | ||
| Cisco Nexus 9348GC-FXP Firmware | ||
| Cisco Nexus 93600CD-GX Firmware | ||
| Cisco Nexus 9364c-h1 | ||
| Cisco Nexus 9364C-GX Firmware | ||
| Cisco Nexus 9364c-h1 | ||
| Cisco Nexus 9364D-GX2A Firmware | ||
| Cisco Nexus 9372PX-E | ||
| Cisco Nexus 9372PX-E Firmware | ||
| Cisco Nexus 9372PX-E | ||
| Cisco Nexus 9372px | ||
| Cisco Nexus 9372TX | ||
| Cisco Nexus 9372TX-E Switch | ||
| Cisco Nexus 9372TX-E | ||
| Cisco Nexus 9372TX | ||
| Cisco Nexus 9396PX Firmware | ||
| Cisco Nexus 9396PX Switch | ||
| Cisco Nexus 9396TX Firmware | ||
| Cisco Nexus 9396TX | ||
| Cisco Nexus 9408 | ||
| Cisco Nexus 9432PQ | ||
| Cisco Nexus 9500 Series | ||
| Cisco Nexus 9500 | ||
| Cisco Nexus 9500 | ||
| Cisco Nexus 9500 | ||
| Cisco Nexus 9500 Supervisor A | ||
| Cisco Nexus 9500 Supervisor A+ | ||
| Cisco Nexus 9500 Supervisor B firmware | ||
| Cisco Nexus 9500 Supervisor B+ | ||
| Cisco Nexus 9500R Firmware | ||
| Cisco Nexus 9504 firmware | ||
| Cisco Nexus 9504 | ||
| Cisco Nexus 9508 | ||
| Cisco Nexus 9508 | ||
| Cisco Nexus 9516 firmware | ||
| Cisco Nexus 9516 | ||
| Cisco Nexus 9536PQ Firmware | ||
| Cisco Nexus 9636PQ Firmware | ||
| Cisco Nexus 9716D-GX Firmware | ||
| Cisco Nexus 9736PQ Firmware | ||
| Cisco Nexus 9800 Firmware | ||
| Cisco Nexus 9800 34-port 100g and 14-port 400g line card | ||
| Cisco Nexus 9800 36-port 400g line card | ||
| Cisco Nexus 9804 | ||
| Cisco Nexus 9808 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-psbe-ce-YvbTn5du
- https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/105x/programmability/cisco-nexus-9000-series-nx-os-programmability-guide-105x/m-n9k-python-api-101x.html?bookSearch=true#concept_A2CFF094ADCB414C983EA06AD8E9A410
Frequently Asked Questions
What is the severity of CVE-2024-20286?
CVE-2024-20286 has a high severity rating due to the potential for local attackers to escape the Python sandbox and gain unauthorized access to the underlying operating system.
How do I fix CVE-2024-20286?
To mitigate CVE-2024-20286, upgrade to the patched versions of Cisco NX-OS Software that address this vulnerability.
Who is affected by CVE-2024-20286?
CVE-2024-20286 affects devices running specific versions of Cisco NX-OS Software, particularly those incorporating Python interpreter functionalities.
What type of vulnerability is CVE-2024-20286?
CVE-2024-20286 is a local privilege escalation vulnerability that allows low-privileged authenticated users to escape the Python sandbox.
Is authentication required to exploit CVE-2024-20286?
Yes, an authenticated user with low privileges is required to exploit CVE-2024-20286.
- agent/references
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/cisco
- canonical/cisco nx-os
- version/cisco nx-os/9.3\(13\)
- canonical/cisco nexus 9000 series switches
- canonical/cisco nexus 92304qc
- canonical/cisco nexus 9000 series n9k-c9232c
- canonical/cisco nexus 9000 series n9k-c93108tc-ex
- canonical/cisco nexus 9000 series switch
- canonical/cisco nexus 93120tx
- canonical/cisco nexus 9000 series n9k-c9316d-gx
- canonical/cisco nexus 9000 series switch - c93180lc-ex
- canonical/cisco nexus 93180yc-ex
- canonical/cisco nexus 93360yc-fx2
- canonical/cisco nexus 9000 series switch n9k-c93180yc-fx
- canonical/cisco nexus 93216tc-fx2
- canonical/cisco nexus 93240yc-fx2
- canonical/cisco nexus 9000 series n9k-c9332c
- canonical/cisco nexus 9332d-gx2b
- canonical/cisco nexus 9336c-fx2
- canonical/cisco nexus 9348d-gx2a
- canonical/cisco nexus 9000 series switch n9k-c9348gc-fxp
- canonical/cisco nexus 9000 series switch n9k-c93600cd-gx
- canonical/cisco nexus 9000 series n9k-c9364c
- canonical/cisco nexus 9364c-gx
- canonical/cisco nexus 9364d-gx2a
- canonical/cisco nexus 9372tx-e
- canonical/cisco nexus 9500 series
- canonical/cisco nexus 9508
- canonical/cisco nexus n9k-c9508-fm-r
- canonical/cisco nexus 9000 supervisor b
- canonical/cisco nexus 9000 series supervisor module b
- canonical/cisco nexus 9000 n9k-x9400
- canonical/cisco nexus 9000 series n9k-x9432c-s
- canonical/cisco nexus 9000 series n9k-x9464px
- canonical/cisco n9k-x9464tx2 firmware
- canonical/cisco n9k-x9564px
- canonical/cisco n9k-x9564tx
- canonical/cisco x96136yc-r
- canonical/cisco nexus 9636c-r
- canonical/cisco nexus n9k-x9636c-rx
- canonical/cisco nexus n9k-x9636q-r
- canonical/cisco nexus 9000 n9k-x97160yc-ex
- canonical/cisco n9k series switches
- canonical/cisco nexus 9000 series switches n9k-x9732c-ex
- canonical/cisco nexus 9000 series n9k-x9732c-fx
- canonical/cisco nexus 9000 series switch n9k-x9736c-ex
- canonical/cisco nexus 9000 series switch n9k-x9788tc-fx
- canonical/cisco nexus 3000
- canonical/cisco nexus 3016q firmware
- canonical/cisco nexus 3048 firmware
- canonical/cisco nexus 3064 firmware
- canonical/cisco nexus 3064
- canonical/cisco nexus 3064x
- canonical/cisco nexus 3064-x firmware
- canonical/cisco nexus 3100 firmware
- canonical/cisco nexus 3100v firmware
- canonical/cisco nexus 3100-z firmware
- canonical/cisco nexus 31108pc-v firmware
- canonical/cisco nexus 31108pv-v firmware
- canonical/cisco nexus 31108tc-v firmware
- canonical/cisco nexus 31128pq
- canonical/cisco nexus 3132c-z firmware
- canonical/cisco nexus 3132q-xl
- canonical/cisco nexus 3132q-v firmware
- canonical/cisco nexus 3132q-x/3132q-xl
- canonical/cisco nexus 3132q-xl firmware
- canonical/cisco nexus 3164q firmware
- canonical/cisco nexus 3172 firmware
- canonical/cisco nexus 3172pq/pq-xl
- canonical/cisco nexus 3172pq-xl firmware
- canonical/cisco nexus 3172tq firmware
- canonical/cisco nexus 3172tq-xl
- canonical/cisco nexus 3172tq-xl firmware
- canonical/cisco nexus 3200
- canonical/cisco nexus 3232
- canonical/cisco nexus 3232c
- canonical/cisco nexus 3264c-e firmware
- canonical/cisco nexus 3264q firmware
- canonical/cisco nexus 3400 firmware
- canonical/cisco nexus 3408-s firmware
- canonical/cisco nexus 34180yc firmware
- canonical/cisco nexus 34200yc-sm firmware
- canonical/cisco nexus 3432d-s firmware
- canonical/cisco nexus 3464c firmware
- canonical/cisco nexus 3500 platform
- canonical/cisco nexus 3500 platform firmware
- canonical/cisco nexus 3524-xl
- canonical/cisco nexus 3524-x/xl
- canonical/cisco nexus 3524-xl firmware
- canonical/cisco nexus 3548-x/xl firmware
- canonical/cisco nexus 3548-x/xl
- canonical/cisco nexus 3600 firmware
- canonical/cisco nexus 36180yc-r firmware
- canonical/cisco nexus 3636c-r firmware
- canonical/cisco nexus 9000 firmware
- canonical/cisco nexus 9000 in aci mode
- canonical/cisco nexus 9000
- canonical/cisco nexus 9000 in standalone
- canonical/cisco nx-os nexus 9000 series
- canonical/cisco nexus 9200 firmware
- canonical/cisco nexus 9200
- canonical/cisco nexus 92160yc switch
- canonical/cisco nexus 92160yc-x firmware
- canonical/cisco nexus 9221c firmware
- canonical/cisco nexus 92300yc firmware
- canonical/cisco nexus 92304qc switch
- canonical/cisco nexus 9232e
- canonical/cisco nexus 92348gc-x switch
- canonical/cisco nexus 9236c switch
- canonical/cisco nexus 9236c
- canonical/cisco nexus 9272q switch
- canonical/cisco nexus 9300 firmware
- canonical/cisco nexus
- canonical/cisco nexus 93108tc-ex-24 firmware
- canonical/cisco nexus 93108tc-ex-24
- canonical/cisco nexus 93108tc-fx switch
- canonical/cisco nexus 93108tc-fx3
- canonical/cisco nexus 93108tc-fx3p firmware
- canonical/cisco nexus 93120tx firmware
- canonical/cisco nexus 93128 firmware
- canonical/cisco nexus 93128tx
- canonical/cisco nexus 9316d-gx firmware
- canonical/cisco nexus 93180lc-ex switch
- canonical/cisco nexus 93180tc-ex firmware
- canonical/cisco nexus 93180yc-ex-24
- canonical/cisco nexus 93180yc-ex-24 firmware
- canonical/cisco nexus 93180yc-fx firmware
- canonical/cisco nexus 93180yc-fx-24 firmware
- canonical/cisco nexus 93180yc-fx3 firmware
- canonical/cisco nexus 93180yc-fx3h
- canonical/cisco nexus 93180yc-fx3s firmware
- canonical/cisco nexus 93216tc-fx2 firmware
- canonical/cisco nexus 93240tc-fx2
- canonical/cisco nexus 93240yc-fx2 firmware
- canonical/cisco nexus 9332c firmware
- canonical/cisco nexus 9332d-gx2b firmware
- canonical/cisco nexus 9332d-h2r
- canonical/cisco nexus 9332pq firmware
- canonical/cisco nexus 9332pq
- canonical/cisco nexus 9336c-fx2 firmware
- canonical/cisco nexus 9336c-fx2-e firmware
- canonical/cisco nexus n9336pq
- canonical/cisco nexus 9336pq aci spine switch
- canonical/cisco nexus n9336pq-x
- canonical/cisco nexus 9336pq
- canonical/cisco nexus 93400ld-h1
- canonical/cisco nexus 9348gc-fx3
- canonical/cisco nexus 9348gc-fx3ph
- canonical/cisco nexus 9348gc-fxp firmware
- canonical/cisco nexus 93600cd-gx firmware
- canonical/cisco nexus 9364c-h1
- canonical/cisco nexus 9364c-gx firmware
- canonical/cisco nexus 9364d-gx2a firmware
- canonical/cisco nexus 9372px-e
- canonical/cisco nexus 9372px-e firmware
- canonical/cisco nexus 9372px
- canonical/cisco nexus 9372tx
- canonical/cisco nexus 9372tx-e switch
- canonical/cisco nexus 9396px firmware
- canonical/cisco nexus 9396px switch
- canonical/cisco nexus 9396tx firmware
- canonical/cisco nexus 9396tx
- canonical/cisco nexus 9408
- canonical/cisco nexus 9432pq
- canonical/cisco nexus 9500
- canonical/cisco nexus 9500 supervisor a
- canonical/cisco nexus 9500 supervisor a+
- canonical/cisco nexus 9500 supervisor b firmware
- canonical/cisco nexus 9500 supervisor b+
- canonical/cisco nexus 9500r firmware
- canonical/cisco nexus 9504 firmware
- canonical/cisco nexus 9504
- canonical/cisco nexus 9516 firmware
- canonical/cisco nexus 9516
- canonical/cisco nexus 9536pq firmware
- canonical/cisco nexus 9636pq firmware
- canonical/cisco nexus 9716d-gx firmware
- canonical/cisco nexus 9736pq firmware
- canonical/cisco nexus 9800 firmware
- canonical/cisco nexus 9800 34-port 100g and 14-port 400g line card
- canonical/cisco nexus 9800 36-port 400g line card
- canonical/cisco nexus 9804
- canonical/cisco nexus 9808