Cisco NX-OS CLI Command Software Image Signature Verification Vulnerabilities

2019-05-15T16:00:00
ID CISCO-SA-20190515-NXOS-SISV2
Type cisco
Reporter Cisco
Modified 2019-05-14T20:39:46

Description

A vulnerability in the Image Signature Verification checks used in some NX-OS CLI commands could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device.

This vulnerability is due to improper verification of software digital signatures during CLI command execution. An attacker could exploit this vulnerability by installing an unsigned software image on an affected device. If the device has not been patched against the issue previously disclosed in Cisco Security Advisory cisco-sa-20190306-nxos-sig-verif ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-sig-verif"], a successful exploit could allow the attacker to boot a malicious software image.

A vulnerability in the Image Signature Verification feature used in some NX-OS CLI in commands in Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device.

This vulnerability exists because software digital signatures are not properly verified during CLI command execution. An attacker could exploit this vulnerability to install an unsigned software image on an affected device.

Note: If the device has not been patched for the vulnerability previously disclosed in the Cisco Security Advisory cisco-sa-20190306-nxos-sig-verif ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-sig-verif"], a successful exploit could allow the attacker to boot a malicious software image.

Multiple vulnerabilities in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device.

The vulnerabilities exist because software digital signatures are not properly verified during CLI command execution. An attacker could exploit these vulnerabilities to install an unsigned software image on an affected device.

Note: If the device has not been patched for the vulnerability previously disclosed in the Cisco Security Advisory cisco-sa-20190306-nxos-sig-verif ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-sig-verif"], a successful exploit could allow the attacker to boot a malicious software image.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-sisv2 ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-sisv2"]