CVE-2019-1808

15.05.2019, 23:29

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software patch on an affected device. The vulnerability is due to improper verification of digital signatures for patch images. An attacker could exploit this vulnerability by loading an unsigned software patch on an affected device. A successful exploit could allow the attacker to boot a malicious software patch image.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.4 MEDIUM	LOCAL	LOW	HIGH	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
cisco	CNA	6.7 MEDIUM	LOCAL	LOW	HIGH	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 26%

Vendor	Product	Version
cisco	nx-os	7.3 ≤ 𝑥 < 8.1\(1a\)
cisco	nx-os	8.2 ≤ 𝑥 < 8.3\(1\)
cisco	nx-os	7.2 ≤ 𝑥 < 7.3\(3\)d1\(1\)
cisco	nx-os	8.0 ≤ 𝑥 < 8.2\(3\)

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-347 - Improper Verification of Cryptographic Signature
The software does not verify, or incorrectly verifies, the cryptographic signature for data.

References

http://www.securityfocus.com/bid/108367

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-spsv

http://www.securityfocus.com/bid/108367

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-spsv