CVE-2021-1449

EPSS 0.04%
Published 24.03.2021 20:15:15
Last modified 21.11.2024 05:44:23
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the boot logic of Cisco Access Points Software could allow an authenticated, local attacker to execute unsigned code at boot time. The vulnerability is due to an improper check that is performed by the area of code that manages system startup processes. An attacker could exploit this vulnerability by modifying a specific file that is stored on the system, which would allow the attacker to bypass existing protections. A successful exploit could allow the attacker to execute unsigned code at boot time and bypass the software image verification check part of the secure boot process of an affected device. Note: To exploit this vulnerability, the attacker would need to have access to the development shell (devshell) on the device.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Aironet Access Point Software Version-

   Cisco ≫ 1100 Integrated Services Router Version-
   Cisco ≫ Aironet 1540 Version-
   Cisco ≫ Aironet 1560 Version-
   Cisco ≫ Aironet 1800 Version-
   Cisco ≫ Aironet 2800 Version-
   Cisco ≫ Aironet 3800 Version-
   Cisco ≫ Aironet 4800 Version-
   Cisco ≫ Catalyst 9100 Version-
   Cisco ≫ Catalyst Iw6300 Version-
   Cisco ≫ Esw6300 Version-

Cisco ≫ Catalyst 9800 Firmware Version < 16.12.5

Cisco ≫ Catalyst 9800 Version-

Cisco ≫ Catalyst 9800 Firmware Version >= 17.1 < 17.3.3

Cisco ≫ Catalyst 9800 Version-

Cisco ≫ Catalyst 9800 Firmware Version >= 17.4 < 17.5.1

Cisco ≫ Catalyst 9800 Version-

Cisco ≫ Wireless Lan Controller Software Version < 8.5.171.0

Cisco ≫ Wireless Lan Controller Software Version >= 8.6 < 8.10.150.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.04%	0.092

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.7	0.8	5.9	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.6	3.9	6.4	AV:L/AC:L/Au:N/C:P/I:P/A:P
psirt@cisco.com	6.7	0.8	5.9	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-privesc-wEVfp8Ud

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-1449

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-1449

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-1449

EUVD