CVE-2020-3353

Published: Jun 3, 2020Modified: Nov 21, 2024

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

A vulnerability in the syslog processing engine of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a race condition that may occur when syslog messages are processed. An attacker could exploit this vulnerability by sending a high rate of syslog messages to an affected device. A successful exploit could allow the attacker to cause the Application Server process to crash, resulting in a DoS condition.

Affected (21)

Products: Cisco: Identity Services Engine

Cisco

1 product

Identity Services Engine

Configuration A

21 vulnerable

Vulnerable Software	Affected Versions
Cisco Identity Services Engine	Version 2.2.0.470
Cisco Identity Services Engine	Version 2.2.0.470 patch10
Cisco Identity Services Engine	Version 2.2.0.470 patch11
Cisco Identity Services Engine	Version 2.2.0.470 patch12
Cisco Identity Services Engine	Version 2.2.0.470 patch1
Cisco Identity Services Engine	Version 2.2.0.470 patch2
Cisco Identity Services Engine	Version 2.2.0.470 patch3
Cisco Identity Services Engine	Version 2.2.0.470 patch4
Cisco Identity Services Engine	Version 2.2.0.470 patch5
Cisco Identity Services Engine	Version 2.2.0.470 patch6
Cisco Identity Services Engine	Version 2.2.0.470 patch7
Cisco Identity Services Engine	Version 2.2.0.470 patch8
Cisco Identity Services Engine	Version 2.2.0.470 patch9
Cisco Identity Services Engine	Version 2.3.0.298
Cisco Identity Services Engine	Version 2.3.0.298 patch1
Cisco Identity Services Engine	Version 2.3.0.298 patch2
Cisco Identity Services Engine	Version 2.3.0.298 patch3
Cisco Identity Services Engine	Version 2.3.0.298 patch4
Cisco Identity Services Engine	Version 2.3.0.298 patch5
Cisco Identity Services Engine	Version 2.4.0.357
Cisco Identity Services Engine	Version 2.4.0.357 patch1

Related CWEs

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-dos-qNzq39K7

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-dos-qNzq39K7

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.