7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
5.1%
According to its self-reported version, Cisco IOS XR is affected by a vulnerability.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
#TRUSTED 95c28f5f9dc151f8ee5e74c04d8035b256da43c7d7c30bd3caa300af854b862157217a95a44ce10f8e961a34e0146e87bb73bbe9a518e3bb7adb2afb3e8cdc1a3a260c3c8962bf85181218685b9fbb332adbcefe2d2346d0cbd423aceea7398df3b327f1a21a618c5bb816fcd5831f08bba4d2915a91cdadf64c10cf3912b4bbfe9a2ab9d6ac03649f64fdb4476ca7030b880f60065787a0b929ad32b04cb2149d0255ebb05f0acdfbc4c4a2ab5edaefc63b1e5ad1f1680b007dde693244c2d50f26e30074463baa420b10bbb0e3772ef30311cc42996c117274dff66ebe288d096185151714d6db02e4c2b257334d322af264fa57acd8743fb04cdec52fbb69904825cbde2caab1637b9923f066c0d6c62ffa30a67b4f42fa63ba98fb1470608512afe9f1a6d515d3678492c34595cdbd95bf10fb4c566ed6db7ba154b3e770e1afbdf59a6925898a736ef9b8fabce5c7e8d56a7c78726d45d5d5998e8fb85d993b448e2e77c55a9b7797a1bacab49182424fca7f735caa27ea1863037ca127e23a99b0c60cdbb8afa9f0c5df8bb746a3b05f411c625c4c157901dca835b47e9205b8c72c931fa27f922c3563180db78eea4a099ab7d9adc6db78dc274ba904bef01141839ae8ee10de7b2f95b108ae09a1219172965a9e2ca44dc9e5e75cf4f09cbdbe9cf15465b144df002698b2f5e636ef5886ba46b402e1d046b1040d0a
#TRUST-RSA-SHA256 17ecf7ccc0d0a5bac46102fc72b80dc598b735d9e95878e9ad0873a2e64d4e15d02ca0805020410433576c8450353b34e1465c3008f89c632e063f6c0521bc4353ab1062013eca5b291e9291816d13ef9cdb85eb76d3ebc7b6878870075d8e048185b8f8c4327d1e306e29048d0540202d73032de45dfacf406bc8205d995f4b1979631f07ee0860d04899f432689b69b527d636b0b22f9f58fa616d9679597c79bd9da0d316ce6ae797540fa536ad2b9f599349a0484efb6235b7a9d639a816aa555f084270da16623520a327b147793c8e60f94f1dbb2754aff24e4b85ec331dc1b8293782a43ee6fe41003a4a700226f7fc140b58fe781eaf94ec3e1418750c46a1d0adc63e92b59556adfe4cf04679b572226969db27f9c5a24afc276151708b2137abd5a37795c9348f4ccfe437285f7f266dae091ffb1c3e125b33994dae5ca08defff22e7195f4c6b38d965d08a255a2a64bf58afba85311c53ef334148ad351456e5bef913027bac39c88324fef6621babedd4ffe355b988bdaeb78541cf96e621ecfaa3142ea1c7dbc81b45f4be0cb6e71064a48595aaae4da312a1deb2a783760a8f17c412eb2e93e84dac49627d40e32c672b59c95a52b3daf923c3616d4ee5d9ef859dc106ceda471ad64deaed0a5b27c209de90fbca519e12f5115a918d8674d07d30dbdc74c85a2acbd47321adecd30a8683ed607926515048
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(183213);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/15");
script_cve_id("CVE-2023-20236");
script_xref(name:"CISCO-BUG-ID", value:"CSCvz63918");
script_xref(name:"CISCO-BUG-ID", value:"CSCvz63925");
script_xref(name:"CISCO-BUG-ID", value:"CSCvz63929");
script_xref(name:"CISCO-BUG-ID", value:"CSCwe12502");
script_xref(name:"CISCO-SA", value:"cisco-sa-iosxr-ipxe-sigbypass-pymfyqgB");
script_xref(name:"IAVA", value:"2024-A-0169");
script_name(english:"Cisco IOS XR Software iPXE Boot Signature Bypass (cisco-sa-iosxr-ipxe-sigbypass-pymfyqgB)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XR is affected by a vulnerability.
- A vulnerability in the iPXE boot function of Cisco IOS XR software could allow an authenticated, local
attacker to install an unverified software image on an affected device. This vulnerability is due to
insufficient image verification. An attacker could exploit this vulnerability by manipulating the boot
parameters for image verification during the iPXE boot process on an affected device. A successful exploit
could allow the attacker to boot an unverified software image on the affected device. (CVE-2023-20236)
Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
# https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ipxe-sigbypass-pymfyqgB
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e01dceae");
# https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75241
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6a0abd7f");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz63918");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz63925");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz63929");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe12502");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvz63918, CSCvz63925, CSCvz63929, CSCwe12502");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-20236");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/09/13");
script_set_attribute(attribute:"patch_publication_date", value:"2023/09/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/17");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_xr_version.nasl");
script_require_keys("Host/Cisco/IOS-XR/Version", "Host/Cisco/IOS-XR/Model");
exit(0);
}
include('ccf.inc');
var product_info = cisco::get_product_info(name:'Cisco IOS XR');
var model = toupper(product_info.model);
# Vulnerable model list
if ((model =~ "ASR9\s?[0-9]{3}") ||
(model =~ "NCS\s?[145][0-9]{3}") ||
(model =~ "NCS\s?5[46][0-9]{1}") ||
(model =~ "8[0-9]{3}"))
var vuln_ranges = [{'min_ver': '0.0', 'fix_ver': '7.10.1'}];
else
audit(AUDIT_HOST_NOT, 'affected');
var reporting = make_array(
'port' , product_info['port'],
'severity' , SECURITY_WARNING,
'version' , product_info['version'],
'bug_id' , 'CSCvz63918, CSCvz63925, CSCvz63929, CSCwe12502',
'disable_caveat', TRUE
);
cisco::check_and_report(
product_info:product_info,
reporting:reporting,
vuln_ranges:vuln_ranges
);
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
5.1%