CVE-2024-20262

Summary

A vulnerability in the Secure Copy Protocol (SCP) and SFTP feature of Cisco IOS XR Software could allow an authenticated, local attacker to create or overwrite files in a system directory, which could lead to a denial of service (DoS) condition. The attacker would require valid user credentials to perform this attack. This vulnerability is due to a lack of proper validation of SCP and SFTP CLI input parameters. An attacker could exploit this vulnerability by authenticating to the device and issuing SCP or SFTP CLI commands with specific parameters. A successful exploit could allow the attacker to impact the functionality of the device, which could lead to a DoS condition. The device may need to be manually rebooted to recover. Note: This vulnerability is exploitable only when a local user invokes SCP or SFTP commands at the Cisco IOS XR CLI. A local user with administrative privileges could exploit this vulnerability remotely.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco IOS XR Software5.2.0affected
CiscoCisco IOS XR Software5.2.1affected
CiscoCisco IOS XR Software5.2.2affected
CiscoCisco IOS XR Software5.2.4affected
CiscoCisco IOS XR Software5.2.3affected
CiscoCisco IOS XR Software5.2.5affected
CiscoCisco IOS XR Software5.2.47affected
CiscoCisco IOS XR Software5.3.0affected
CiscoCisco IOS XR Software5.3.1affected
CiscoCisco IOS XR Software5.3.2affected
CiscoCisco IOS XR Software5.3.3affected
CiscoCisco IOS XR Software5.3.4affected
CiscoCisco IOS XR Software6.0.0affected
CiscoCisco IOS XR Software6.0.1affected
CiscoCisco IOS XR Software6.0.2affected
CiscoCisco IOS XR Software6.1.1affected
CiscoCisco IOS XR Software6.1.2affected
CiscoCisco IOS XR Software6.1.3affected
CiscoCisco IOS XR Software6.1.4affected
CiscoCisco IOS XR Software6.1.12affected
CiscoCisco IOS XR Software6.1.22affected
CiscoCisco IOS XR Software6.1.32affected
CiscoCisco IOS XR Software6.1.36affected
CiscoCisco IOS XR Software6.1.42affected
CiscoCisco IOS XR Software6.2.1affected
CiscoCisco IOS XR Software6.2.2affected
CiscoCisco IOS XR Software6.2.3affected
CiscoCisco IOS XR Software6.2.25affected
CiscoCisco IOS XR Software6.2.11affected
CiscoCisco IOS XR Software6.3.2affected
CiscoCisco IOS XR Software6.3.3affected
CiscoCisco IOS XR Software6.3.15affected
CiscoCisco IOS XR Software6.4.1affected
CiscoCisco IOS XR Software6.4.2affected
CiscoCisco IOS XR Software6.4.3affected
CiscoCisco IOS XR Software6.5.1affected
CiscoCisco IOS XR Software6.5.2affected
CiscoCisco IOS XR Software6.5.3affected
CiscoCisco IOS XR Software6.5.25affected
CiscoCisco IOS XR Software6.5.26affected
CiscoCisco IOS XR Software6.5.28affected
CiscoCisco IOS XR Software6.5.29affected
CiscoCisco IOS XR Software6.5.32affected
CiscoCisco IOS XR Software6.5.33affected
CiscoCisco IOS XR Software6.6.2affected
CiscoCisco IOS XR Software6.6.3affected
CiscoCisco IOS XR Software6.6.25affected
CiscoCisco IOS XR Software6.6.4affected
CiscoCisco IOS XR Software7.0.1affected
CiscoCisco IOS XR Software7.0.2affected
CiscoCisco IOS XR Software7.0.12affected
CiscoCisco IOS XR Software7.0.14affected
CiscoCisco IOS XR Software7.1.1affected
CiscoCisco IOS XR Software7.1.2affected
CiscoCisco IOS XR Software6.7.2affected
CiscoCisco IOS XR Software6.7.4affected
CiscoCisco IOS XR Software7.2.0affected
CiscoCisco IOS XR Software7.2.1affected
CiscoCisco IOS XR Software7.2.2affected
CiscoCisco IOS XR Software7.3.1affected
CiscoCisco IOS XR Software7.3.15affected
CiscoCisco IOS XR Software7.3.2affected
CiscoCisco IOS XR Software7.3.3affected
CiscoCisco IOS XR Software7.3.5affected
CiscoCisco IOS XR Software7.4.1affected
CiscoCisco IOS XR Software7.4.2affected
CiscoCisco IOS XR Software7.5.1affected
CiscoCisco IOS XR Software7.5.3affected
CiscoCisco IOS XR Software7.5.2affected
CiscoCisco IOS XR Software7.5.4affected
CiscoCisco IOS XR Software7.5.5affected
CiscoCisco IOS XR Software7.6.1affected
CiscoCisco IOS XR Software7.6.2affected
CiscoCisco IOS XR Software7.7.1affected
CiscoCisco IOS XR Software7.7.2affected
CiscoCisco IOS XR Software7.7.21affected
CiscoCisco IOS XR Software7.8.1affected
CiscoCisco IOS XR Software7.8.2affected
CiscoCisco IOS XR Software7.9.1affected
CiscoCisco IOS XR Software7.9.2affected
CiscoCisco IOS XR Software7.10.1affected
CiscoCisco IOS XR Software7.10.2affected

Weaknesses

  • CWE-269: Improper Privilege Management

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References