6.7

CVE-2019-1808

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software patch on an affected device. The vulnerability is due to improper verification of digital signatures for patch images. An attacker could exploit this vulnerability by loading an unsigned software patch on an affected device. A successful exploit could allow the attacker to boot a malicious software patch image.

Data is provided by the National Vulnerability Database (NVD)
CiscoNx-os Version >= 7.3 < 8.1\(1a\)
   CiscoMds 9706 Version-
   CiscoMds 9710 Version-
   CiscoMds 9718 Version-
CiscoNx-os Version >= 8.2 < 8.3\(1\)
   CiscoMds 9706 Version-
   CiscoMds 9710 Version-
   CiscoMds 9718 Version-
CiscoNx-os Version >= 7.2 < 7.3\(3\)d1\(1\)
   Cisco7000 10-slot Version-
   Cisco7000 18-slot Version-
   Cisco7000 4-slot Version-
   Cisco7000 9-slot Version-
   Cisco7700 10-slot Version-
   Cisco7700 18-slot Version-
   Cisco7700 2-slot Version-
   Cisco7700 6-slot Version-
   CiscoN77-f312ck-26 Version-
   CiscoN77-f324fq-25 Version-
   CiscoN77-f348xp-23 Version-
   CiscoN77-f430cq-36 Version-
   CiscoN77-m312cq-26l Version-
   CiscoN77-m324fq-25l Version-
   CiscoN77-m348xp-23l Version-
   CiscoN7k-f248xp-25e Version-
   CiscoN7k-f306ck-25 Version-
   CiscoN7k-f312fq-25 Version-
   CiscoN7k-m202cf-22l Version-
   CiscoN7k-m206fq-23l Version-
   CiscoN7k-m224xp-23l Version-
   CiscoN7k-m324fq-25l Version-
   CiscoN7k-m348xp-25l Version-
   CiscoNexus 7000 Supervisor 1 Version-
   CiscoNexus 7000 Supervisor 2 Version-
   CiscoNexus 7000 Supervisor 2e Version-
   CiscoNexus 7700 Supervisor 2e Version-
   CiscoNexus 7700 Supervisor 3e Version-
CiscoNx-os Version >= 8.0 < 8.2\(3\)
   Cisco7000 10-slot Version-
   Cisco7000 18-slot Version-
   Cisco7000 4-slot Version-
   Cisco7000 9-slot Version-
   Cisco7700 10-slot Version-
   Cisco7700 18-slot Version-
   Cisco7700 2-slot Version-
   Cisco7700 6-slot Version-
   CiscoN77-f312ck-26 Version-
   CiscoN77-f324fq-25 Version-
   CiscoN77-f348xp-23 Version-
   CiscoN77-f430cq-36 Version-
   CiscoN77-m312cq-26l Version-
   CiscoN77-m324fq-25l Version-
   CiscoN77-m348xp-23l Version-
   CiscoN7k-f248xp-25e Version-
   CiscoN7k-f306ck-25 Version-
   CiscoN7k-f312fq-25 Version-
   CiscoN7k-m202cf-22l Version-
   CiscoN7k-m206fq-23l Version-
   CiscoN7k-m224xp-23l Version-
   CiscoN7k-m324fq-25l Version-
   CiscoN7k-m348xp-25l Version-
   CiscoNexus 7000 Supervisor 1 Version-
   CiscoNexus 7000 Supervisor 2 Version-
   CiscoNexus 7000 Supervisor 2e Version-
   CiscoNexus 7700 Supervisor 2e Version-
   CiscoNexus 7700 Supervisor 3e Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.09% 0.221
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 4.4 0.8 3.6
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 2.1 3.9 2.9
AV:L/AC:L/Au:N/C:N/I:P/A:N
psirt@cisco.com 6.7 0.8 5.9
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

http://www.securityfocus.com/bid/108367
Third Party Advisory
Broken Link
VDB Entry