CVE-2019-1808 : A vulnerability in the Image Signature Verification feature of Cisco NX-OS Softw

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software patch on an affected device. The vulnerability is due to improper verification of digital signatures for patch images. An attacker could exploit this vulnerability by loading an unsigned software patch on an affected device. A successful exploit could allow the attacker to boot a malicious software patch image.

Published 2019-05-15 23:29:01

Updated 2023-03-24 17:46:15

Source Cisco Systems, Inc.

View at NVD, CVE.org

Products affected by CVE-2019-1808

Cisco » Nx-os
Versions from including (>=) 7.2 and before (<) 7.3\(3\)d1\(1\)
cpe:2.3:o:cisco:nx-os:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » 7000 10-slot » Version: N/A
When used together with: Cisco » 7000 18-slot » Version: N/A
When used together with: Cisco » 7000 4-slot » Version: N/A
When used together with: Cisco » 7000 9-slot » Version: N/A
When used together with: Cisco » 7700 10-slot » Version: N/A
When used together with: Cisco » 7700 18-slot » Version: N/A
When used together with: Cisco » 7700 2-slot » Version: N/A
When used together with: Cisco » 7700 6-slot » Version: N/A
When used together with: Cisco » N77-f312ck-26 » Version: N/A
When used together with: Cisco » N77-f324fq-25 » Version: N/A
When used together with: Cisco » N77-f348xp-23 » Version: N/A
When used together with: Cisco » N77-f430cq-36 » Version: N/A
When used together with: Cisco » N77-m312cq-26l » Version: N/A
When used together with: Cisco » N77-m324fq-25l » Version: N/A
When used together with: Cisco » N77-m348xp-23l » Version: N/A
When used together with: Cisco » N7k-f248xp-25e » Version: N/A
When used together with: Cisco » N7k-f306ck-25 » Version: N/A
When used together with: Cisco » N7k-f312fq-25 » Version: N/A
When used together with: Cisco » N7k-m202cf-22l » Version: N/A
When used together with: Cisco » N7k-m206fq-23l » Version: N/A
When used together with: Cisco » N7k-m224xp-23l » Version: N/A
When used together with: Cisco » N7k-m324fq-25l » Version: N/A
When used together with: Cisco » N7k-m348xp-25l » Version: N/A
When used together with: Cisco » Nexus 7000 Supervisor 1 » Version: N/A
When used together with: Cisco » Nexus 7000 Supervisor 2 » Version: N/A
When used together with: Cisco » Nexus 7000 Supervisor 2e » Version: N/A
When used together with: Cisco » Nexus 7700 Supervisor 2e » Version: N/A
When used together with: Cisco » Nexus 7700 Supervisor 3e » Version: N/A
Cisco » Nx-os
Versions from including (>=) 7.3 and before (<) 8.1\(1a\)
cpe:2.3:o:cisco:nx-os:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Mds 9706 » Version: N/A
When used together with: Cisco » Mds 9710 » Version: N/A
When used together with: Cisco » Mds 9718 » Version: N/A
Cisco » Nx-os
Versions from including (>=) 8.0 and before (<) 8.2\(3\)
cpe:2.3:o:cisco:nx-os:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » 7000 10-slot » Version: N/A
When used together with: Cisco » 7000 18-slot » Version: N/A
When used together with: Cisco » 7000 4-slot » Version: N/A
When used together with: Cisco » 7000 9-slot » Version: N/A
When used together with: Cisco » 7700 10-slot » Version: N/A
When used together with: Cisco » 7700 18-slot » Version: N/A
When used together with: Cisco » 7700 2-slot » Version: N/A
When used together with: Cisco » 7700 6-slot » Version: N/A
When used together with: Cisco » N77-f312ck-26 » Version: N/A
When used together with: Cisco » N77-f324fq-25 » Version: N/A
When used together with: Cisco » N77-f348xp-23 » Version: N/A
When used together with: Cisco » N77-f430cq-36 » Version: N/A
When used together with: Cisco » N77-m312cq-26l » Version: N/A
When used together with: Cisco » N77-m324fq-25l » Version: N/A
When used together with: Cisco » N77-m348xp-23l » Version: N/A
When used together with: Cisco » N7k-f248xp-25e » Version: N/A
When used together with: Cisco » N7k-f306ck-25 » Version: N/A
When used together with: Cisco » N7k-f312fq-25 » Version: N/A
When used together with: Cisco » N7k-m202cf-22l » Version: N/A
When used together with: Cisco » N7k-m206fq-23l » Version: N/A
When used together with: Cisco » N7k-m224xp-23l » Version: N/A
When used together with: Cisco » N7k-m324fq-25l » Version: N/A
When used together with: Cisco » N7k-m348xp-25l » Version: N/A
When used together with: Cisco » Nexus 7000 Supervisor 1 » Version: N/A
When used together with: Cisco » Nexus 7000 Supervisor 2 » Version: N/A
When used together with: Cisco » Nexus 7000 Supervisor 2e » Version: N/A
When used together with: Cisco » Nexus 7700 Supervisor 2e » Version: N/A
When used together with: Cisco » Nexus 7700 Supervisor 3e » Version: N/A
Cisco » Nx-os
Versions from including (>=) 8.2 and before (<) 8.3\(1\)
cpe:2.3:o:cisco:nx-os:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Mds 9706 » Version: N/A
When used together with: Cisco » Mds 9710 » Version: N/A
When used together with: Cisco » Mds 9718 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2019-1808

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 22 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-1808

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:N/I:P/A:N	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.7	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.8	5.9	Cisco Systems, Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
4.4	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N	0.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2019-1808

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Assigned by:
- nvd@nist.gov (Primary)
- ykramarz@cisco.com (Secondary)

References for CVE-2019-1808

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-spsv

Cisco MDS 9700 Series Multilayer Directors and Nexus 7000/7700 Series Switches Software Patch Signature Verification Vulnerability
Vendor Advisory
http://www.securityfocus.com/bid/108367

Multiple Cisco Products CVE-2019-1808 Local Security Bypass Vulnerability
Broken Link;Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2019-1808

Products affected by CVE-2019-1808

Exploit prediction scoring system (EPSS) score for CVE-2019-1808

CVSS scores for CVE-2019-1808

CWE ids for CVE-2019-1808

References for CVE-2019-1808