CVE-2020-3394

Name of the Vulnerable Software and Affected Versions: Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode (affected versions not specified)

Description: A logic error in the implementation of the enable command in the Enable Secret feature could allow an authenticated, local attacker to gain full administrative privileges without using the enable password. The attacker would need to have valid credentials for the affected device and log in to the device to issue the enable command. The Enable Secret feature is disabled by default.

Recommendations: For Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode, update to a version that includes the software updates released by Cisco to address this vulnerability. As a temporary workaround, consider disabling the Enable Secret feature until a patch is available. Restrict access to the enable command to minimize the risk of exploitation.