CVE-2023-20016Use of Hard-coded Cryptographic Key in Cisco Fxos

CWE-321Use of Hard-coded Cryptographic KeyCWE-330Use of Insufficiently Random Values4 documents4 sources
Severity
6.5MEDIUMNVD
CNA6.3
EPSS
0.2%
top 56.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Cisco FxosCisco UCS Central SoftwareCisco Unified Computing System
Timeline
PublishedFeb 23

Description

A vulnerability in the backup configuration feature of Cisco UCS Manager Software and in the configuration export feature of Cisco FXOS Software could allow an unauthenticated attacker with access to a backup file to decrypt sensitive information stored in the full state and configuration backup files. This vulnerability is due to a weakness in the encryption method used for the backup function. An attacker could exploit this vulnerability by leveraging a static key used for the backup configura

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 2.0 | Impact: 4.0

Affected Packages3 packages

NVDcisco/fxos< 2.6.1

🔴Vulnerability Details

2
GHSA
GHSA-xj38-cqqv-5f7w: A vulnerability in the backup configuration feature of Cisco UCS Manager Software and in the configuration export feature of Cisco FXOS Software could2023-02-23
CVEList
Cisco FXOS Software and UCS Manager Software Configuration Backup Static Key Vulnerability2023-02-23

📋Vendor Advisories

1
Cisco
Cisco FXOS Software and UCS Manager Software Configuration Backup Static Key Vulnerability2023-02-22
CVE-2023-20016 — Use of Hard-coded Cryptographic Key | cvebase