// For flags

CVE-2022-20944

Cisco IOS XE Software for Catalyst 9200 Series Switches Arbitrary Code Execution Vulnerability

Severity Score

6.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A vulnerability in the software image verification functionality of Cisco IOS XE Software for Cisco Catalyst 9200 Series Switches could allow an unauthenticated, physical attacker to execute unsigned code at system boot time. This vulnerability is due to an improper check in the code function that manages the verification of the digital signatures of system image files during the initial boot process. An attacker could exploit this vulnerability by loading unsigned software on an affected device. A successful exploit could allow the attacker to boot a malicious software image or execute unsigned code and bypass the image verification check part of the boot process of the affected device. To exploit this vulnerability, the attacker needs either unauthenticated physical access to the device or privileged access to the root shell on the device. Note: In Cisco IOS XE Software releases 16.11.1 and later, root shell access is protected by the Consent Token mechanism. However, an attacker with level-15 privileges could easily downgrade the Cisco IOS XE Software running on a device to a release where root shell access is more readily available.

Una vulnerabilidad en la función de verificación de imágenes de software del software Cisco IOS XE para los switches Cisco Catalyst de la serie 9200 podría permitir a un atacante físico no autenticado ejecutar código no firmado en el momento del arranque del sistema. Esta vulnerabilidad es debido a una comprobación inapropiada en la función del código que administra la verificación de las firmas digitales de los archivos de imagen del sistema durante el proceso de arranque inicial. Un atacante podría explotar esta vulnerabilidad al cargar software no firmado en un dispositivo afectado. Una explotación con éxito podría permitir al atacante arrancar una imagen de software malicioso o ejecutar código no firmado y omitir la parte de verificación de la imagen del proceso de arranque del dispositivo afectado. Para explotar esta vulnerabilidad, el atacante necesita un acceso físico no autenticado al dispositivo o un acceso privilegiado al shell root del dispositivo. Nota: En versiones 16.11.1 y posteriores del software Cisco IOS XE, el acceso al shell root está protegido por el mecanismo de token de consentimiento. Sin embargo, un atacante con privilegios de nivel 15 podría fácilmente degradar el software Cisco IOS XE que es ejecutado en un dispositivo a una versión en la que el acceso al shell root está más disponible

*Credits: N/A
CVSS Scores
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2021-11-02 CVE Reserved
  • 2022-10-10 CVE Published
  • 2024-03-10 EPSS Updated
  • 2024-11-01 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-347: Improper Verification of Cryptographic Signature
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst 9200
Search vendor "Cisco" for product "Catalyst 9200"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst 9200cx
Search vendor "Cisco" for product "Catalyst 9200cx"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst 9200l
Search vendor "Cisco" for product "Catalyst 9200l"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200-24p
Search vendor "Cisco" for product "Catalyst C9200-24p"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200-24t
Search vendor "Cisco" for product "Catalyst C9200-24t"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200-48p
Search vendor "Cisco" for product "Catalyst C9200-48p"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200-48t
Search vendor "Cisco" for product "Catalyst C9200-48t"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200l-24p-4g
Search vendor "Cisco" for product "Catalyst C9200l-24p-4g"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200l-24p-4x
Search vendor "Cisco" for product "Catalyst C9200l-24p-4x"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200l-24pxg-2y
Search vendor "Cisco" for product "Catalyst C9200l-24pxg-2y"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200l-24pxg-4x
Search vendor "Cisco" for product "Catalyst C9200l-24pxg-4x"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200l-24t-4g
Search vendor "Cisco" for product "Catalyst C9200l-24t-4g"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200l-24t-4x
Search vendor "Cisco" for product "Catalyst C9200l-24t-4x"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200l-48p-4g
Search vendor "Cisco" for product "Catalyst C9200l-48p-4g"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200l-48p-4x
Search vendor "Cisco" for product "Catalyst C9200l-48p-4x"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200l-48pxg-2y
Search vendor "Cisco" for product "Catalyst C9200l-48pxg-2y"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200l-48pxg-4x
Search vendor "Cisco" for product "Catalyst C9200l-48pxg-4x"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200l-48t-4g
Search vendor "Cisco" for product "Catalyst C9200l-48t-4g"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
--
Affected
in Cisco
Search vendor "Cisco"
Catalyst C9200l-48t-4x
Search vendor "Cisco" for product "Catalyst C9200l-48t-4x"
--
Safe