Lucene search

CiscoCVE-2021-1441

HistoryMar 24, 2021 - 8:15 p.m.

CVE-2021-1441

2021-03-2420:15:15

CWE-78

cisco

web.nvd.nist.gov

cisco

ios xe

vulnerability

hardware

authentication

local attacker

unsigned code

system boot time

esr6300

security

nvd

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.6

Confidence

High

EPSS

Percentile

5.2%

JSON

A vulnerability in the hardware initialization routines of Cisco IOS XE Software for Cisco 1100 Series Industrial Integrated Services Routers and Cisco ESR6300 Embedded Series Routers could allow an authenticated, local attacker to execute unsigned code at system boot time. This vulnerability is due to incorrect validations of parameters passed to a diagnostic script that is executed when the device boots up. An attacker could exploit this vulnerability by tampering with an executable file stored on a device. A successful exploit could allow the attacker to execute unsigned code at boot time and bypass the software image verification check part of the secure boot process of an affected device. To exploit this vulnerability, the attacker would need administrative level credentials (level 15) on the device.

Affected configurations

Nvd

Node

ciscoios_xeMatch3.15.1xbs

ciscoios_xeMatch3.15.2xbs

ciscoios_xeMatch16.9.1

ciscoios_xeMatch16.9.1c

ciscoios_xeMatch16.10.1

ciscoios_xeMatch16.10.1e

ciscoios_xeMatch16.11.1

ciscoios_xeMatch16.11.1c

ciscoios_xeMatch16.11.1s

ciscoios_xeMatch16.12.1

ciscoios_xeMatch16.12.1c

ciscoios_xeMatch16.12.1s

ciscoios_xeMatch16.12.1za

ciscoios_xeMatch16.12.2

ciscoios_xeMatch16.12.2s

ciscoios_xeMatch16.12.2t

ciscoios_xeMatch16.12.3

ciscoios_xeMatch16.12.3s

ciscoios_xeMatch16.12.4

ciscoios_xeMatch17.1.1

ciscoios_xeMatch17.1.1s

ciscoios_xeMatch17.1.1t

ciscoios_xeMatch17.1.2

ciscoios_xeMatch17.2.1

ciscoios_xeMatch17.2.1r

ciscoios_xeMatch17.2.1v

ciscoios_xeMatch17.2.3

AND

ciscoesr6300Match-

ciscoir1101Match-

VendorProductVersionCPE
ciscoios_xe3.15.1xbscpe:2.3:o:cisco:ios_xe:3.15.1xbs:*:*:*:*:*:*:*
ciscoios_xe3.15.2xbscpe:2.3:o:cisco:ios_xe:3.15.2xbs:*:*:*:*:*:*:*
ciscoios_xe16.9.1cpe:2.3:o:cisco:ios_xe:16.9.1:*:*:*:*:*:*:*
ciscoios_xe16.9.1ccpe:2.3:o:cisco:ios_xe:16.9.1c:*:*:*:*:*:*:*
ciscoios_xe16.10.1cpe:2.3:o:cisco:ios_xe:16.10.1:*:*:*:*:*:*:*
ciscoios_xe16.10.1ecpe:2.3:o:cisco:ios_xe:16.10.1e:*:*:*:*:*:*:*
ciscoios_xe16.11.1cpe:2.3:o:cisco:ios_xe:16.11.1:*:*:*:*:*:*:*
ciscoios_xe16.11.1ccpe:2.3:o:cisco:ios_xe:16.11.1c:*:*:*:*:*:*:*
ciscoios_xe16.11.1scpe:2.3:o:cisco:ios_xe:16.11.1s:*:*:*:*:*:*:*
ciscoios_xe16.12.1cpe:2.3:o:cisco:ios_xe:16.12.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	ios_xe	3.15.1xbs	cpe:2.3:o:cisco:ios_xe:3.15.1xbs:::::::*
cisco	ios_xe	3.15.2xbs	cpe:2.3:o:cisco:ios_xe:3.15.2xbs:::::::*
cisco	ios_xe	16.9.1	cpe:2.3:o:cisco:ios_xe:16.9.1:::::::*
cisco	ios_xe	16.9.1c	cpe:2.3:o:cisco:ios_xe:16.9.1c:::::::*
cisco	ios_xe	16.10.1	cpe:2.3:o:cisco:ios_xe:16.10.1:::::::*
cisco	ios_xe	16.10.1e	cpe:2.3:o:cisco:ios_xe:16.10.1e:::::::*
cisco	ios_xe	16.11.1	cpe:2.3:o:cisco:ios_xe:16.11.1:::::::*
cisco	ios_xe	16.11.1c	cpe:2.3:o:cisco:ios_xe:16.11.1c:::::::*
cisco	ios_xe	16.11.1s	cpe:2.3:o:cisco:ios_xe:16.11.1s:::::::*
cisco	ios_xe	16.12.1	cpe:2.3:o:cisco:ios_xe:16.12.1:::::::*

Rows per page:

1-10 of 291

CNA Affected

[
  {
    "product": "Cisco IOS XE Software",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-iot-codexec-k46EFF6q

Social References

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.6

Confidence

High

EPSS

Percentile

5.2%

JSON

Related for CVE-2021-1441