Improper Verification of Cryptographic Signature in Cisco IOS XE Software for the Catalyst 9000 Family

1) Improper Verification of Cryptographic Signature

EUVDB-ID: #VU51778

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-1453

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

Exploit availability: No

Description

The vulnerability allows a local attacker to compromise the target system.

The vulnerability exists due to an improper check in the code function that manages the verification of the digital signatures of system image files during the initial boot process. An attacker with physical access can boot a malicious software image or execute unsigned code and bypass the image verification check part of the secure boot process of an affected device.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cisco IOS XE: 17.2.1 - 17.4.1

Catalyst C9500-32C Switch: All versions

Catalyst C9500-32QC Switch: All versions

Catalyst C9500-24Y4C Switch: All versions

Catalyst C9500-48Y4C Switch: All versions

:

Cisco Catalyst 9400 Series Switches: All versions

Cisco Catalyst 9600 Series Switches: All versions

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-cat-verify-BQ5hrXgH

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.