First published: Wed Feb 26 2020(Updated: )
A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to read or write arbitrary files on the underlying operating system (OS). The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including crafted arguments to a specific CLI command. A successful exploit could allow the attacker to read or write to arbitrary files on the underlying OS. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-fxos-cli-file
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco ASA Software | >=9.10=9.12<=9.13<9.13.1.7>=9.8<=9.9<9.9.2.66 | 9.13.1.7 9.9.2.66 |
Cisco FTD Software | >=6.2.2<=6.2.3<6.2.3.16 (Apr 2020) | 6.2.3.16 (Apr 2020) |
Cisco FXOS Software | =2.6<2.6.1.157=2.4<2.4.1.238=2.3<2.3.1.155>=Earlier than 2.2<=2.2<2.2.2.97 | 2.6.1.157 2.4.1.238 2.3.1.155 2.2.2.97 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability allows an authenticated, local attacker to read or write arbitrary files on the underlying operating system (OS) due to insufficient input validation in the CLI of Cisco FXOS Software.
Users of Cisco FXOS Software versions 2.2.2.97 and earlier, 2.3 up to 2.3.1.155, 2.4 up to 2.4.1.238, 2.6 up to 2.6.1.157, Cisco ASA Software versions 9.8 up to 9.9.2.66, 9.10 up to 9.12, and 9.13 up to 9.13.1.7, as well as Cisco FTD Software versions 6.2.2 up to 6.2.3.16 (Apr 2020) are affected.
The vulnerability is rated medium with a severity score of 4.2.
An attacker can exploit the vulnerability by including crafted arguments in CLI commands to read or write arbitrary files on the underlying OS.
Yes, Cisco has released software updates to address the vulnerability. Users should upgrade to the specified fixed versions.
You can find more information about the vulnerability at the Cisco Security Advisory: [link](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-fxos-cli-file).