CVE-2020-3231 - Incorrect Authorization

Severity

47%

Complexity

27%

Confidentiality

23%

A vulnerability in the 802.1X feature of Cisco Catalyst 2960-L Series Switches and Cisco Catalyst CDB-8P Switches could allow an unauthenticated, adjacent attacker to forward broadcast traffic before being authenticated on the port. The vulnerability exists because broadcast traffic that is received on the 802.1X-enabled port is mishandled. An attacker could exploit this vulnerability by sending broadcast traffic on the port before being authenticated. A successful exploit could allow the attacker to send and receive broadcast traffic on the 802.1X-enabled port before authentication.

CVSS 3.1 Base Score 4.7. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).

CVSS 2.0 Base Score 2.9. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: medium. CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:N/A:N).

Demo Examples

Incorrect Authorization

CWE-863

The following code could be for a medical records application. It displays a record to already authenticated users, confirming the user's authorization using a value stored in a cookie.


               
}
}
setcookie("role", $role, time()+60*60*2);
die("\n");
DisplayMedicalHistory($_POST['patient_ID']);
die("You are not Authorized to view this record\n");

The programmer expects that the cookie will only be set when getRole() succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie. However, the attacker can easily set the "role" cookie to the value "Reader". As a result, the $role variable is "Reader", and getRole() is never invoked. The attacker has bypassed the authorization system.

Overview

Type

Cisco IOS

First reported 5 years ago

2020-06-03 18:15:00

Last updated 4 years ago

2020-06-08 18:25:00

Affected Software

Cisco IOS 15.2(5)E2

15.2\(5\)e2

Cisco IOS 15.2(5)EX

15.2\(5\)ex

Cisco IOS 15.2(5a)E

15.2\(5a\)e

Cisco IOS 15.2(5b)E

15.2\(5b\)e

Cisco IOS 15.2(5C)E

15.2\(5c\)e

Cisco IOS 15.2(7)E

15.2\(7\)e

Cisco IOS 15.2(7)E0s

15.2\(7\)e0s

Cisco IOS 15.2(6)E

15.2\(6\)e

Cisco IOS 15.2(6)E0C

15.2\(6\)e0c

Cisco IOS 15.2(6)E1

15.2\(6\)e1

Cisco IOS 15.2(6)E1A

15.2\(6\)e1a

Cisco IOS 15.2(6)E1S

15.2\(6\)e1s

Cisco IOS 15.2(6)E2

15.2\(6\)e2

Cisco IOS 15.2(6)E2B

15.2\(6\)e2b

Cisco IOS 15.2(6)E3

15.2\(6\)e3

Cisco IOS 15.2(6)E4

15.2\(6\)e4

Cisco IOS 15.2(7)E0A

15.2\(7\)e0a

Cisco IOS 15.2(7)E0B

15.2\(7\)e0b

Cisco IOS 15.2(7A)E0B

15.2\(7a\)e0b

Cisco IOS 15.2(7b)e0b

15.2\(7b\)e0b

Cisco IOS 15.3(3)JAA1

15.3\(3\)jaa1

Cisco IOS 15.3(3)JPJ

15.3\(3\)jpj

References

20200603 Cisco IOS Software for Catalyst 2960-L Series Switches and Catalyst CDB-8P Switches 802.1X Authentication Bypass Vulnerability

20200603 Cisco IOS Software for Catalyst 2960-L Series Switches and Catalyst CDB-8P Switches 802.1X Authentication Bypass Vulnerability

Patch, Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.