CVE-2023-20135Improper Verification of Cryptographic Signature in Cisco IOS XR

CWE-347Improper Verification of Cryptographic SignatureCWE-367Time-of-check Time-of-use (TOCTOU) Race Condition4 documents4 sources
Severity
7.0HIGHNVD
CNA5.7
EPSS
0.0%
top 96.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XRCisco IOS XR Software
Timeline
PublishedSep 13

Description

A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local attacker to execute arbitrary code on the underlying operating system. This vulnerability is due to a time-of-check, time-of-use (TOCTOU) race condition when an install query regarding an ISO image is performed during an install operation that uses an ISO image. An attacker could exploit this vulnerability by modifying an ISO image and then carrying out install requests in parallel. A successfu

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages2 packages

CVEListV5cisco/cisco_ios_xr_software10 versions+9
NVDcisco/ios_xr7.5.27.6+1

🔴Vulnerability Details

2
GHSA
GHSA-6v48-qpg5-fj4m: A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local attacker to execute arbitrary code on the under2023-09-13
CVEList
CVE-2023-20135: A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local attacker to execute arbitrary code on the under2023-09-13

📋Vendor Advisories

1
Cisco
Cisco IOS XR Software Image Verification Vulnerability2023-09-13
CVE-2023-20135 — Cisco IOS XR vulnerability | cvebase