Vulnerability Name:

CVE-2020-3170 (CCN-176933)

Assigned:2019-12-12
Published:2020-02-26
Updated:2020-03-03
Summary:A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart. The vulnerability is due to incorrect validation of the HTTP header of a request that is sent to the NX-API. An attacker could exploit this vulnerability by sending a crafted HTTP request to the NX-API on an affected device. A successful exploit could allow the attacker to cause a denial of service (DoS) condition in the NX-API service; however, the Cisco NX-OS device itself would still be available and passing network traffic.
Note: The NX-API feature is disabled by default.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2020-3170

Source: XF
Type: UNKNOWN
cisco-cve20203170-dos(176933)

Source: CCN
Type: Cisco Security Advisory cisco-sa-20200226-nxos-api-dos
Cisco NX-OS Software NX-API Denial of Service Vulnerability

Source: CISCO
Type: Vendor Advisory
20200226 Cisco NX-OS Software NX-API Denial of Service Vulnerability

Vulnerable Configuration:Configuration 1:
  • cpe:/o:cisco:nx-os:*:*:*:*:*:*:*:* (Version < 8.4(1))
  • AND
  • cpe:/h:cisco:mds_9132t:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:mds_9148s:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:mds_9148t:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:mds_9216:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:mds_9216a:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:mds_9216i:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:mds_9222i:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:mds_9506:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:mds_9509:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:mds_9513:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:mds_9706:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:mds_9710:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:mds_9718:-:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:cisco:nx-os:*:*:*:*:*:*:*:* (Version < 8.2(5))
  • AND
  • cpe:/h:cisco:nexus_7000:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:nexus_7700:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    cisco nx-os *
    cisco mds 9132t -
    cisco mds 9148s -
    cisco mds 9148t -
    cisco mds 9216 -
    cisco mds 9216a -
    cisco mds 9216i -
    cisco mds 9222i -
    cisco mds 9506 -
    cisco mds 9509 -
    cisco mds 9513 -
    cisco mds 9706 -
    cisco mds 9710 -
    cisco mds 9718 -
    cisco nx-os *
    cisco nexus 7000 -
    cisco nexus 7700 -