CVE-2023-20236

EPSS 0.02%
Veröffentlicht 13.09.2023 17:15:09
Zuletzt bearbeitet 21.11.2024 07:40:57
Quelle psirt@cisco.com
Teams Watchlist Login
Unerledigt Login

A vulnerability in the iPXE boot function of Cisco IOS XR software could allow an authenticated, local attacker to install an unverified software image on an affected device.

 This vulnerability is due to insufficient image verification. An attacker could exploit this vulnerability by manipulating the boot parameters for image verification during the iPXE boot process on an affected device. A successful exploit could allow the attacker to boot an unverified software image on the affected device.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Ios Xr Version < 7.10.1

   Cisco ≫ 8201 Version-
   Cisco ≫ 8202 Version-
   Cisco ≫ 8208 Version-
   Cisco ≫ 8212 Version-
   Cisco ≫ 8218 Version-
   Cisco ≫ 8804 Version-
   Cisco ≫ 8808 Version-
   Cisco ≫ 8812 Version-
   Cisco ≫ 8818 Version-
   Cisco ≫ 8831 Version-
   Cisco ≫ Asr 9000 Version-
   Cisco ≫ Asr 9000v Version-
   Cisco ≫ Asr 9001 Version-
   Cisco ≫ Asr 9006 Version-
   Cisco ≫ Asr 9010 Version-
   Cisco ≫ Asr 9901 Version-
   Cisco ≫ Asr 9902 Version-
   Cisco ≫ Asr 9903 Version-
   Cisco ≫ Asr 9904 Version-
   Cisco ≫ Asr 9906 Version-
   Cisco ≫ Asr 9910 Version-
   Cisco ≫ Asr 9912 Version-
   Cisco ≫ Asr 9920 Version-
   Cisco ≫ Asr 9922 Version-
   Cisco ≫ Ncs 1001 Version-
   Cisco ≫ Ncs 1002 Version-
   Cisco ≫ Ncs 1004 Version-
   Cisco ≫ Ncs 4009 Version-
   Cisco ≫ Ncs 4016 Version-
   Cisco ≫ Ncs 4201 Version-
   Cisco ≫ Ncs 4202 Version-
   Cisco ≫ Ncs 4206 Version-
   Cisco ≫ Ncs 4216 Version-
   Cisco ≫ Ncs 5001 Version-
   Cisco ≫ Ncs 5002 Version-
   Cisco ≫ Ncs 5011 Version-
   Cisco ≫ Ncs 540 Version-
   Cisco ≫ Ncs 5500 Version-
   Cisco ≫ Ncs 5501 Version-
   Cisco ≫ Ncs 5501 Versionse
   Cisco ≫ Ncs 5502 Version-
   Cisco ≫ Ncs 5502 Versionse
   Cisco ≫ Ncs 5504 Version-
   Cisco ≫ Ncs 5508 Version-
   Cisco ≫ Ncs 5516 Version-
   Cisco ≫ Ncs 560 Version-
   Cisco ≫ Ncs 560-4 Version-
   Cisco ≫ Ncs 560-7 Version-
   Cisco ≫ Ncs 57b1-5dse-sys Version-
   Cisco ≫ Ncs 57b1-6d24-sys Version-
   Cisco ≫ Ncs 57c1-48q6-sys Version-
   Cisco ≫ Ncs 57c3-mod-sys Version-
   Cisco ≫ Ncs 57c3-mods-sys Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.036

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
psirt@cisco.com	6.7	0.8	5.9	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ipxe-sigbypass-pymfyqgB

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-20236

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-20236

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-20236

EUVD