cisco rv016_firmware 内存缓冲区边界内操作的限制不恰当

CVE编号

CVE-2020-3289

利用情况

暂无

补丁情况

N/A

披露时间

2020-06-18

漏洞描述

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Series Routers and Cisco Small Business RV016, RV042, and RV082 Routers could allow an authenticated, remote attacker with administrative privileges to execute arbitrary code on an affected device. The vulnerabilities are due to insufficient boundary restrictions on user-supplied input to scripts in the web-based management interface. An attacker with administrative privileges that are sufficient to log in to the web-based management interface could exploit each vulnerability by sending crafted requests that contain overly large values to an affected device, causing a stack overflow. A successful exploit could allow the attacker to cause the device to crash or allow the attacker to execute arbitrary code with root privileges on the underlying operating system.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-s...

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	系统	cisco	rv016_firmware	*		Up to (including) 4.2.3.10
	运行在以下环境
	系统	cisco	rv042g_firmware	*		Up to (including) 4.2.3.10
	运行在以下环境
	系统	cisco	rv042_firmware	*		Up to (including) 4.2.3.10
	运行在以下环境
	系统	cisco	rv082_firmware	*		Up to (including) 4.2.3.10
	运行在以下环境
	系统	cisco	rv320_firmware	*		Up to (including) 1.5.1.05
	运行在以下环境
	系统	cisco	rv325_firmware	*		Up to (including) 1.5.1.05
	运行在以下环境
	硬件	cisco	rv016	-	-
	运行在以下环境
	硬件	cisco	rv042	-	-
	运行在以下环境
	硬件	cisco	rv042g	-	-
	运行在以下环境
	硬件	cisco	rv082	-	-
	运行在以下环境
	硬件	cisco	rv320	-	-
	运行在以下环境
	硬件	cisco	rv325	-	-

CVSS3评分 7.2

• 攻击路径 网络
• 攻击复杂度 低
• 权限要求 高
• 影响范围 未更改
• 用户交互 无
• 可用性 高
• 保密性 高
• 完整性 高

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-ID	漏洞类型
CWE-119	内存缓冲区边界内操作的限制不恰当
CWE-787	跨界内存写

Exp相关链接

- avd.aliyun.com