CVE-2019-1615

EPSS 0.08%
Published 11.03.2019 21:29:00
Last modified 21.11.2024 04:36:56
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device. The vulnerability is due to improper verification of digital signatures for software images. An attacker could exploit this vulnerability by loading an unsigned software image on an affected device. A successful exploit could allow the attacker to boot a malicious software image. Note: The fix for this vulnerability requires a BIOS upgrade as part of the software upgrade. For additional information, see the Details section of this advisory. Nexus 3000 Series Switches are affected running software versions prior to 7.0(3)I7(5). Nexus 9000 Series Fabric Switches in ACI Mode are affected running software versions prior to 13.2(1l). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected running software versions prior to 7.0(3)I7(5). Nexus 9500 R-Series Line Cards and Fabric Modules are affected running software versions prior to 7.0(3)F3(5).

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Nx-os Version7.0(3)i7(3)

   Cisco ≫ 9432pq Version-
   Cisco ≫ 9536pq Version-
   Cisco ≫ 9636pq Version-
   Cisco ≫ 9736pq Version-
   Cisco ≫ N9k-x9432c-s Version-
   Cisco ≫ N9k-x9464px Version-
   Cisco ≫ N9k-x9464tx2 Version-
   Cisco ≫ N9k-x9564px Version-
   Cisco ≫ N9k-x9564tx Version-
   Cisco ≫ N9k-x9636c-r Version-
   Cisco ≫ N9k-x9636c-rx Version-
   Cisco ≫ N9k-x97160yc-ex Version-
   Cisco ≫ N9k-x9732c-ex Version-
   Cisco ≫ N9k-x9732c-fx Version-
   Cisco ≫ N9k-x9736c-ex Version-
   Cisco ≫ N9k-x9736c-fx Version-
   Cisco ≫ N9k-x9788tc-fx Version-
   Cisco ≫ Nexus 92160yc-x Version-
   Cisco ≫ Nexus 92300yc Version-
   Cisco ≫ Nexus 92304qc Version-
   Cisco ≫ Nexus 9236c Version-
   Cisco ≫ Nexus 9272q Version-
   Cisco ≫ Nexus 93108tc-ex Version-
   Cisco ≫ Nexus 93108tc-fx Version-
   Cisco ≫ Nexus 93120tx Version-
   Cisco ≫ Nexus 9316d-gx Version-
   Cisco ≫ Nexus 93180lc-ex Version-
   Cisco ≫ Nexus 93180yc-ex Version-
   Cisco ≫ Nexus 93180yc-fx Version-
   Cisco ≫ Nexus 93240yc-fx2 Version-
   Cisco ≫ Nexus 9332c Version-
   Cisco ≫ Nexus 9336c-fx2 Version-
   Cisco ≫ Nexus 9348gc-fxp Version-
   Cisco ≫ Nexus 93600cd-gx Version-
   Cisco ≫ Nexus 9364c Version-
   Cisco ≫ Nexus 9504 Version-
   Cisco ≫ Nexus 9508 Version-
   Cisco ≫ Nexus 9516 Version-
   Cisco ≫ X9636q-r Version-

Cisco ≫ Nx-os Version9.2(1)

Cisco ≫ Nx-os Version12.3(0.97)

Cisco ≫ Nx-os Version7.0(3)i7(5)

   Cisco ≫ N3k-c31128pq-10ge Version-
   Cisco ≫ N3k-c3132c-z Version-
   Cisco ≫ N3k-c3164q-40ge Version-
   Cisco ≫ N3k-c3264q Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.08%	0.215

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.7	0.8	5.9	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.6	3.9	6.4	AV:L/AC:L/Au:N/C:P/I:P/A:P
psirt@cisco.com	6.7	0.8	5.9	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

http://www.securityfocus.com/bid/107397

Third Party Advisory

VDB Entry

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-sig-verif

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-1615

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-1615

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-1615

EUVD