Improper Verification of Cryptographic Signature in Cisco Systems, Inc products - CVE-2023-20082

 

Improper Verification of Cryptographic Signature in Cisco Systems, Inc products - CVE-2023-20082

Published: March 23, 2023


Vulnerability identifier: #VU73984
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-20082
CWE-ID: CWE-347
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Catalyst 9300 Series Switches
Cisco IOS XE
Cisco IOS XE ROM Monitor

Detailed vulnerability description

The vulnerability allows a local attacker to execute arbitrary code at boot time and break the chain of trust.

The vulnerability exists due to errors that occur when retrieving the public release key that is used for image signature verification. An attacker with physical access can modify specific variables in the Serial Peripheral Interface (SPI) flash memory and execute arbitrary code on the target system.


How to mitigate CVE-2023-20082

Install updates from vendor's website.

Sources