CVE-2020-3308

EPSS 0.08%
Published 06.05.2020 17:15:13
Last modified 26.11.2024 16:09:02
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the Image Signature Verification feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker with administrator-level credentials to install a malicious software patch on an affected device. The vulnerability is due to improper verification of digital signatures for patch images. An attacker could exploit this vulnerability by crafting an unsigned software patch to bypass signature checks and loading it on an affected device. A successful exploit could allow the attacker to boot a malicious software patch image.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Firepower Threat Defense Version < 6.2.2.1

Cisco ≫ Secure Firewall Management Center Version6.2.2

Cisco ≫ Secure Firewall Management Center Version6.2.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.08%	0.242

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:N/I:P/A:N
psirt@cisco.com	4.9	1.2	3.6	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sigbypass-FcvPPCeP

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-3308

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-3308

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-3308

EUVD