Main Vulnerability Database Vulnerabilities #VU73984

Improper Verification of Cryptographic Signature in Cisco Systems, Inc products - CVE-2023-20082

Published: March 23, 2023

Vulnerability identifier: #VU73984

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-20082

CWE-ID: CWE-347

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Catalyst 9300 Series Switches
Cisco IOS XE
Cisco IOS XE ROM Monitor

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a local attacker to execute arbitrary code at boot time and break the chain of trust.

The vulnerability exists due to errors that occur when retrieving the public release key that is used for image signature verification. An attacker with physical access can modify specific variables in the Serial Peripheral Interface (SPI) flash memory and execute arbitrary code on the target system.

Remediation

Install updates from vendor's website.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9300-spi-ace-yejYgnNQ

Improper Verification of Cryptographic Signature in Cisco Systems, Inc products - CVE-2023-20082

Description

Remediation

External links

Please verify you're human