Improper Verification of Cryptographic Signature in Cisco IOS XE



Published: 2020-06-03 | Updated: 2022-11-01
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-3209
CWE-ID CWE-347
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		Cisco IOS XE
Operating systems & Components / Operating system

Vendor

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Improper Verification of Cryptographic Signature

EUVDB-ID: #VU68872

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3209

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

Exploit availability: No

Description

The vulnerability allows a local attacker to compromise the target system.

The vulnerability exists due to due to an improper check on the area of code that manages the verification of the digital signatures of system image files during the initial boot process. An attacker with physical access can install and boot a malicious software image or execute unsigned binaries on the target device.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cisco IOS XE: before Gibraltar 16.12.1s

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-digsig-bypass-FYQ3bmVq


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###