Vulnerability Details : CVE-2023-20236
A vulnerability in the iPXE boot function of Cisco IOS XR software could allow an authenticated, local attacker to install an unverified software image on an affected device.
This vulnerability is due to insufficient image verification. An attacker could exploit this vulnerability by manipulating the boot parameters for image verification during the iPXE boot process on an affected device. A successful exploit could allow the attacker to boot an unverified software image on the affected device.
Products affected by CVE-2023-20236
- cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-20236
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-20236
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.7
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
N/A
|
N/A
|
Cisco:cisco-sa-iosxr-ipxe-sigbypass-pymfyqgB | 2024-03-13 |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
6.7
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
0.8
|
5.9
|
Cisco Systems, Inc. |
CWE ids for CVE-2023-20236
-
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Assigned by: nvd@nist.gov (Primary)
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: ykramarz@cisco.com (Secondary)
References for CVE-2023-20236
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ipxe-sigbypass-pymfyqgB
Cisco IOS XR Software iPXE Boot Signature Bypass VulnerabilityVendor Advisory
Jump to