Unauthenticated Remote Code Execution Vulnerability in Cisco RCM for StarOS

CVE-2022-20649

8.1HIGH

Key Information

Vendor
Cisco
Status
Cisco Redundancy Configuration Manager
Vendor
CVE Published:
15 November 2024

Summary

A vulnerability in Cisco RCM for Cisco StarOS Software could allow an unauthenticated, remote attacker to perform remote code execution on the application with root-level privileges in the context of the configured container.

This vulnerability exists because the debug mode is incorrectly enabled for specific services. An attacker could exploit this vulnerability by connecting to the device and navigating to the service with debug mode enabled. A successful exploit could allow the attacker to execute arbitrary commands as the root user. The attacker would need to perform detailed reconnaissance to allow for unauthenticated access. The vulnerability can also be exploited by an authenticated attacker. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Affected Version(s)

Cisco Redundancy Configuration Manager = 2021.02.0

Cisco Redundancy Configuration Manager = 2021.01.0

Cisco Redundancy Configuration Manager = 21.19.n13

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.