SB2021090908 - Multiple vulnerabilities in Cisco IOS XR Software for Cisco 8000 and Network Convergence System 540 Series Routers

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021090908

SB2021090908 - Multiple vulnerabilities in Cisco IOS XR Software for Cisco 8000 and Network Convergence System 540 Series Routers

Published: September 9, 2021

Security Bulletin ID SB2021090908
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2021-34708)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local administrator to execute arbitrary code on the system. 

The vulnerability exists due to an unsigned script within the ISO that is not verified when the install request is being processed. A local administrator can modify an ISO image and execute arbitrary code on the affected device. 


2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2021-34709)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local administrator to execute arbitrary code on the system. 

The vulnerability exists in the Cisco IOS XR due to a race condition that occurs when the install request is being processed. A local administrator can modify an ISO image and execute arbitrary code on the affected device. 


Remediation

Install update from vendor's website.

References