Lucene search

CiscoCISCO-SA-20190513-SECUREBOOT

HistoryMay 13, 2019 - 5:30 p.m.

Cisco Secure Boot Hardware Tampering Vulnerability

2019-05-1317:30:00

tools.cisco.com

386

EPSS

Percentile

0.4%

JSON

A vulnerability in the logic that handles access control to one of the hardware components in Cisco’s proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component. This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality.

The vulnerability is due to an improper check on the area of code that manages on-premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot hardware implementation. An attacker with elevated privileges and access to the underlying operating system that is running on the affected device could exploit this vulnerability by writing a modified firmware image to the FPGA. A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image.

Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot”]

Affected configurations

Vulners

Node

ciscoasr_9000_rsp440_routerMatchany

ciscoasa_with_firepower_servicesMatchany

ciscoasr_1000_series_softwareMatchany

ciscoasr_900_series_softwareMatchany

cisconexus_3000Matchany

ciscocbr-8_firmwareMatchany

cisconetwork_convergence_system_6008Matchany

cisco5400_enterprise_network_compute_system_firmwareMatchany

cisconx_osMatchany

ciscocatalyst_digital_building_series_switches_firmwareMatchany

cisconetwork_convergence_system_6008Matchany

ciscocatalyst_digital_building_series_switches_firmwareMatchany

ciscofirepower_2100_firmwareMatchany

ciscoios_xe_sd-wan_16.11.1_when_installed_on_4000_series_integrated_servicesMatchany

ciscoindustrial_security_appliances_3000_firmwareMatchany

ciscoconnected_grid_router_1000Matchany

cisco829_industrial_integrated_services_router_firmwareMatchany

cisconexus_7000Matchany

ciscomds_9000Matchany

ciscofirepower_4100_next-generation_firewall_firmwareMatchany

ciscofirepower_9000_firmwareMatchany

ciscoic3000_industrial_compute_gatewayMatchany

ciscoasr_9006_routerMatchany

cisconexus_9000Matchany

ciscoons_15454_multiservice_transport_platformMatchany

cisconetwork_convergence_system_6008Matchany

ciscoasr_1006Match9000_series_aggregation_services_routers

ciscoasa_with_firepower_servicesMatchany

ciscoasr_1006Match1000_series_aggregation_services_routers

ciscoasr_1006Match900_series_aggregation_services_routers

ciscocisco_nexusMatch3000_series_switch

ciscocbr-8_firmwareMatchany

cisconetwork_convergence_system_6008Match5500_series

ciscociscoMatch5000_series_enterprise_network_compute_system

cisconx_osMatchany

ciscocatalystMatch6800_series_switches

cisconetwork_convergence_system_6008Match1000_series

ciscocatalystMatch9500_series_switches

ciscofirepowerMatch2100_series

ciscociscoMatch4000_series_integrated_services_routers

ciscociscoMatch3000_series_industrial_security_appliances_\(isa\)

ciscociscoMatch1000_series_connected_grid_routers

ciscociscoMatch800_series_industrial_integrated_services_routers

ciscocisco_nexusMatch7000_series_switches

ciscocisco_mdsMatch9700_series_multilayer_directors

ciscofirepowerMatch4100_series

ciscofirepowerMatch9000_series

ciscoic3000_industrial_compute_gatewayMatchany

ciscoasr_1006Match920_series_aggregation_services_router

ciscocisco_nexusMatch9000_series_switches

ciscoonsMatch15454_series_multiservice_transport_platforms

cisconetwork_convergence_system_6008Match2000_series

VendorProductVersionCPE
ciscoasr_9000_rsp440_routeranycpe:2.3:h:cisco:asr_9000_rsp440_router:any:*:*:*:*:*:*:*
ciscoasa_with_firepower_servicesanycpe:2.3:o:cisco:asa_with_firepower_services:any:*:*:*:*:*:*:*
ciscoasr_1000_series_softwareanycpe:2.3:a:cisco:asr_1000_series_software:any:*:*:*:*:*:*:*
ciscoasr_900_series_softwareanycpe:2.3:a:cisco:asr_900_series_software:any:*:*:*:*:*:*:*
cisconexus_3000anycpe:2.3:h:cisco:nexus_3000:any:*:*:*:*:*:*:*
ciscocbr-8_firmwareanycpe:2.3:o:cisco:cbr-8_firmware:any:*:*:*:*:*:*:*
cisconetwork_convergence_system_6008anycpe:2.3:h:cisco:network_convergence_system_6008:any:*:*:*:*:*:*:*
cisco5400_enterprise_network_compute_system_firmwareanycpe:2.3:o:cisco:5400_enterprise_network_compute_system_firmware:any:*:*:*:*:*:*:*
cisconx_osanycpe:2.3:o:cisco:nx_os:any:*:*:*:*:*:*:*
ciscocatalyst_digital_building_series_switches_firmwareanycpe:2.3:o:cisco:catalyst_digital_building_series_switches_firmware:any:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	asr_9000_rsp440_router	any	cpe:2.3:h:cisco:asr_9000_rsp440_router:any:::::::*
cisco	asa_with_firepower_services	any	cpe:2.3:o:cisco:asa_with_firepower_services:any:::::::*
cisco	asr_1000_series_software	any	cpe:2.3:a:cisco:asr_1000_series_software:any:::::::*
cisco	asr_900_series_software	any	cpe:2.3:a:cisco:asr_900_series_software:any:::::::*
cisco	nexus_3000	any	cpe:2.3:h:cisco:nexus_3000:any:::::::*
cisco	cbr-8_firmware	any	cpe:2.3:o:cisco:cbr-8_firmware:any:::::::*
cisco	network_convergence_system_6008	any	cpe:2.3:h:cisco:network_convergence_system_6008:any:::::::*
cisco	5400_enterprise_network_compute_system_firmware	any	cpe:2.3:o:cisco:5400_enterprise_network_compute_system_firmware:any:::::::*
cisco	nx_os	any	cpe:2.3:o:cisco:nx_os:any:::::::*
cisco	catalyst_digital_building_series_switches_firmware	any	cpe:2.3:o:cisco:catalyst_digital_building_series_switches_firmware:any:::::::*