CVE-2020-3524 : A vulnerability in the Cisco IOS XE ROM Monitor (ROMMON) Software for Cisco 4000 Series Integrated Services Routers, Cis

A vulnerability in the Cisco IOS XE ROM Monitor (ROMMON) Software for Cisco 4000 Series Integrated Services Routers, Cisco ASR 920 Series Aggregation Services Routers, Cisco ASR 1000 Series Aggregation Services Routers, and Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, physical attacker to break the chain of trust and load a compromised software image on an affected device. The vulnerability is due to the presence of a debugging configuration option in the affected software. An attacker could exploit this vulnerability by connecting to an affected device through the console, forcing the device into ROMMON mode, and writing a malicious pattern using that specific option on the device. A successful exploit could allow the attacker to break the chain of trust and load a compromised software image on the affected device. A compromised software image is any software image that has not been digitally signed by Cisco.

Published 2020-09-24 18:15:22

Updated 2023-05-22 18:57:25

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Exploit prediction scoring system (EPSS) score for CVE-2020-3524

Probability of exploitation activity in the next 30 days: 0.07%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 29 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-3524

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.9	MEDIUM	AV:L/AC:M/Au:N/C:C/I:C/A:C	3.4	10.0	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
6.4	MEDIUM	CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	0.5	5.9	Cisco Systems, Inc.
Attack Vector: Physical Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.8	MEDIUM	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	0.9	5.9	NIST
Attack Vector: Physical Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-3524

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: ykramarz@cisco.com (Secondary)
CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-3524

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rommon-secboot-7JgVLVYC

Cisco IOS XE ROM Monitor Software Vulnerability
Vendor Advisory

Products affected by CVE-2020-3524

Cisco » Ios Xe Rom Monitor
Versions before (<) 15.6\(18r\)
cpe:2.3:o:cisco:ios_xe_rom_monitor:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Asr-920-10sz-pd » Version: N/A
When used together with: Cisco » Asr-920-12cz-a » Version: N/A
When used together with: Cisco » Asr-920-12cz-d » Version: N/A
When used together with: Cisco » Asr-920-12sz-a » Version: N/A
When used together with: Cisco » Asr-920-12sz-d » Version: N/A
When used together with: Cisco » Asr-920-20sz-m » Version: N/A
When used together with: Cisco » Asr-920-24sz-im » Version: N/A
When used together with: Cisco » Asr-920-24sz-m » Version: N/A
When used together with: Cisco » Asr-920-24tz-m » Version: N/A
When used together with: Cisco » Asr-920-4sz-a » Version: N/A
When used together with: Cisco » Asr-920-4sz-d » Version: N/A
When used together with: Cisco » Asr 920u-12sz-im » Version: N/A
Cisco » Ios Xe Rom Monitor
Versions before (<) 16.4\(1r\)s
cpe:2.3:o:cisco:ios_xe_rom_monitor:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Cbr8 » Version: N/A
Cisco » Ios Xe Rom Monitor
Versions before (<) 16.2\(1r\)
cpe:2.3:o:cisco:ios_xe_rom_monitor:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » 4221 Integrated Services Router » Version: N/A
When used together with: Cisco » 4331 Integrated Services Router » Version: N/A
When used together with: Cisco » 4431 Integrated Services Router » Version: N/A
When used together with: Cisco » 4461 Integrated Services Router » Version: N/A

Vulnerability Details : CVE-2020-3524

Exploit prediction scoring system (EPSS) score for CVE-2020-3524

CVSS scores for CVE-2020-3524

CWE ids for CVE-2020-3524

References for CVE-2020-3524

Products affected by CVE-2020-3524