CVE-2022-20944

Cisco IOS XE Software for Catalyst 9200 Series Switches Arbitrary Code Execution Vulnerability

Severity Score

6.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the software image verification functionality of Cisco IOS XE Software for Cisco Catalyst 9200 Series Switches could allow an unauthenticated, physical attacker to execute unsigned code at system boot time. This vulnerability is due to an improper check in the code function that manages the verification of the digital signatures of system image files during the initial boot process. An attacker could exploit this vulnerability by loading unsigned software on an affected device. A successful exploit could allow the attacker to boot a malicious software image or execute unsigned code and bypass the image verification check part of the boot process of the affected device. To exploit this vulnerability, the attacker needs either unauthenticated physical access to the device or privileged access to the root shell on the device. Note: In Cisco IOS XE Software releases 16.11.1 and later, root shell access is protected by the Consent Token mechanism. However, an attacker with level-15 privileges could easily downgrade the Cisco IOS XE Software running on a device to a release where root shell access is more readily available.

Una vulnerabilidad en la función de verificación de imágenes de software del software Cisco IOS XE para los switches Cisco Catalyst de la serie 9200 podría permitir a un atacante físico no autenticado ejecutar código no firmado en el momento del arranque del sistema. Esta vulnerabilidad es debido a una comprobación inapropiada en la función del código que administra la verificación de las firmas digitales de los archivos de imagen del sistema durante el proceso de arranque inicial. Un atacante podría explotar esta vulnerabilidad al cargar software no firmado en un dispositivo afectado. Una explotación con éxito podría permitir al atacante arrancar una imagen de software malicioso o ejecutar código no firmado y omitir la parte de verificación de la imagen del proceso de arranque del dispositivo afectado. Para explotar esta vulnerabilidad, el atacante necesita un acceso físico no autenticado al dispositivo o un acceso privilegiado al shell root del dispositivo. Nota: En versiones 16.11.1 y posteriores del software Cisco IOS XE, el acceso al shell root está protegido por el mecanismo de token de consentimiento. Sin embargo, un atacante con privilegios de nivel 15 podría fácilmente degradar el software Cisco IOS XE que es ejecutado en un dispositivo a una versión en la que el acceso al shell root está más disponible

*Credits: N/A

Attack Vector

Physical

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Physical

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-02 CVE Reserved
2022-10-10 CVE Published
2024-03-10 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-347: Improper Verification of Cryptographic Signature

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-cat-verify-D4NEQA6q	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst 9200 Search vendor "Cisco" for product "Catalyst 9200"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst 9200cx Search vendor "Cisco" for product "Catalyst 9200cx"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst 9200l Search vendor "Cisco" for product "Catalyst 9200l"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200-24p Search vendor "Cisco" for product "Catalyst C9200-24p"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200-24t Search vendor "Cisco" for product "Catalyst C9200-24t"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200-48p Search vendor "Cisco" for product "Catalyst C9200-48p"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200-48t Search vendor "Cisco" for product "Catalyst C9200-48t"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200l-24p-4g Search vendor "Cisco" for product "Catalyst C9200l-24p-4g"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200l-24p-4x Search vendor "Cisco" for product "Catalyst C9200l-24p-4x"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200l-24pxg-2y Search vendor "Cisco" for product "Catalyst C9200l-24pxg-2y"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200l-24pxg-4x Search vendor "Cisco" for product "Catalyst C9200l-24pxg-4x"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200l-24t-4g Search vendor "Cisco" for product "Catalyst C9200l-24t-4g"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200l-24t-4x Search vendor "Cisco" for product "Catalyst C9200l-24t-4x"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200l-48p-4g Search vendor "Cisco" for product "Catalyst C9200l-48p-4g"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200l-48p-4x Search vendor "Cisco" for product "Catalyst C9200l-48p-4x"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200l-48pxg-2y Search vendor "Cisco" for product "Catalyst C9200l-48pxg-2y"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200l-48pxg-4x Search vendor "Cisco" for product "Catalyst C9200l-48pxg-4x"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200l-48t-4g Search vendor "Cisco" for product "Catalyst C9200l-48t-4g"	-	-	Safe
Cisco Search vendor "Cisco"	Ios Xe Search vendor "Cisco" for product "Ios Xe"	-	-	Affected	in	Cisco Search vendor "Cisco"	Catalyst C9200l-48t-4x Search vendor "Cisco" for product "Catalyst C9200l-48t-4x"	-	-	Safe