CVE-2023-20135 - Vulnerability Details - OpenCVE

A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local attacker to execute arbitrary code on the underlying operating system. This vulnerability is due to a time-of-check, time-of-use (TOCTOU) race condition when an install query regarding an ISO image is performed during an install operation that uses an ISO image. An attacker could exploit this vulnerability by modifying an ISO image and then carrying out install requests in parallel. A successful exploit could allow the attacker to execute arbitrary code on an affected device.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation None

Automatable No

Technical Impact Total

Vendors	Products
Cisco	Ios Xr

Configuration 1 [-]

OR	cpe:2.3:o:cisco:ios_xr::::::::
	cpe:2.3:o:cisco:ios_xr::::::::

No data.

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lnt-L9zOkBz5

History

Wed, 23 Oct 2024 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'No', 'Exploitation': 'None', 'Technical Impact': 'Total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2023-09-13T16:38:36.593Z

Updated: 2024-10-23T19:41:34.741Z

Reserved: 2022-10-27T18:47:50.351Z

Link: CVE-2023-20135

Vulnrichment

Updated: 2024-08-02T08:57:36.157Z

NVD

Status : Modified

Published: 2023-09-13T17:15:09.253

Modified: 2024-11-21T07:40:38.240

Link: CVE-2023-20135

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-20135", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2022-10-27T18:47:50.351Z", "datePublished": "2023-09-13T16:38:36.593Z", "dateUpdated": "2024-10-23T19:41:34.741Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2024-01-25T16:57:47.716Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local attacker to execute arbitrary code on the underlying operating system.\r\n\r This vulnerability is due to a time-of-check, time-of-use (TOCTOU) race condition when an install query regarding an ISO image is performed during an install operation that uses an ISO image. An attacker could exploit this vulnerability by modifying an ISO image and then carrying out install requests in parallel. A successful exploit could allow the attacker to execute arbitrary code on an affected device."}], "affected": [{"vendor": "Cisco", "product": "Cisco IOS XR Software", "versions": [{"version": "7.5.3", "status": "affected"}, {"version": "7.5.2", "status": "affected"}, {"version": "7.5.4", "status": "affected"}, {"version": "7.7.1", "status": "affected"}, {"version": "7.7.2", "status": "affected"}, {"version": "7.7.21", "status": "affected"}, {"version": "7.8.1", "status": "affected"}, {"version": "7.8.2", "status": "affected"}, {"version": "7.9.1", "status": "affected"}, {"version": "7.9.2", "status": "affected"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Verification of Cryptographic Signature", "type": "cwe", "cweId": "CWE-347"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lnt-L9zOkBz5", "name": "cisco-sa-lnt-L9zOkBz5"}], "metrics": [{"format": "cvssV3_1", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}}], "exploits": [{"lang": "en", "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "source": {"advisory": "cisco-sa-lnt-L9zOkBz5", "discovery": "INTERNAL", "defects": ["CSCwd87928"]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:57:36.157Z"}, "title": "CVE Program Container", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lnt-L9zOkBz5", "name": "cisco-sa-lnt-L9zOkBz5", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2023-11-15T16:36:16.730906Z", "id": "CVE-2023-20135", "options": [{"Exploitation": "None"}, {"Automatable": "No"}, {"Technical Impact": "Total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T19:41:34.741Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lnt-L9zOkBz5", "name": "cisco-sa-lnt-L9zOkBz5", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:57:36.157Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-20135", "role": "CISA Coordinator", "options": [{"Exploitation": "None"}, {"Automatable": "No"}, {"Technical Impact": "Total"}], "version": "2.0.3", "timestamp": "2023-11-15T16:36:16.730906Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T18:59:35.144Z"}}], "cna": {"source": {"defects": ["CSCwd87928"], "advisory": "cisco-sa-lnt-L9zOkBz5", "discovery": "INTERNAL"}, "metrics": [{"format": "cvssV3_1", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Cisco", "product": "Cisco IOS XR Software", "versions": [{"status": "affected", "version": "7.5.3"}, {"status": "affected", "version": "7.5.2"}, {"status": "affected", "version": "7.5.4"}, {"status": "affected", "version": "7.7.1"}, {"status": "affected", "version": "7.7.2"}, {"status": "affected", "version": "7.7.21"}, {"status": "affected", "version": "7.8.1"}, {"status": "affected", "version": "7.8.2"}, {"status": "affected", "version": "7.9.1"}, {"status": "affected", "version": "7.9.2"}]}], "exploits": [{"lang": "en", "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lnt-L9zOkBz5", "name": "cisco-sa-lnt-L9zOkBz5"}], "descriptions": [{"lang": "en", "value": "A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local attacker to execute arbitrary code on the underlying operating system.\r\n\r This vulnerability is due to a time-of-check, time-of-use (TOCTOU) race condition when an install query regarding an ISO image is performed during an install operation that uses an ISO image. An attacker could exploit this vulnerability by modifying an ISO image and then carrying out install requests in parallel. A successful exploit could allow the attacker to execute arbitrary code on an affected device."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-347", "description": "Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2024-01-25T16:57:47.716Z"}}}, "cveMetadata": {"cveId": "CVE-2023-20135", "state": "PUBLISHED", "dateUpdated": "2024-10-23T19:41:34.741Z", "dateReserved": "2022-10-27T18:47:50.351Z", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2023-09-13T16:38:36.593Z", "assignerShortName": "cisco"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:*", "matchCriteriaId": "93148C76-2970-48D4-942A-D67B68352EA9", "versionEndExcluding": "7.6", "versionStartIncluding": "7.5.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:*", "matchCriteriaId": "75317BEF-7612-49E8-A4B2-9C90AADE3BB0", "versionEndExcluding": "7.10.1", "versionStartIncluding": "7.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local attacker to execute arbitrary code on the underlying operating system.\r\n\r This vulnerability is due to a time-of-check, time-of-use (TOCTOU) race condition when an install query regarding an ISO image is performed during an install operation that uses an ISO image. An attacker could exploit this vulnerability by modifying an ISO image and then carrying out install requests in parallel. A successful exploit could allow the attacker to execute arbitrary code on an affected device."}, {"lang": "es", "value": "Una vulnerabilidad en las comprobaciones de verificaci\u00f3n de im\u00e1genes del Software Cisco IOS XR podr\u00eda permitir que un atacante local autenticado ejecute c\u00f3digo arbitrario en el sistema operativo subyacente. Esta vulnerabilidad se debe a una condici\u00f3n de ejecuci\u00f3n de tiempo de verificaci\u00f3n, tiempo de uso (TOCTOU) cuando se realiza una consulta de instalaci\u00f3n relacionada con una imagen ISO durante una operaci\u00f3n de instalaci\u00f3n que utiliza una imagen ISO. Un atacante podr\u00eda aprovechar esta vulnerabilidad modificando una imagen ISO y luego realizando solicitudes de instalaci\u00f3n en paralelo. Una explotaci\u00f3n existosa podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario en un dispositivo afectado."}], "id": "CVE-2023-20135", "lastModified": "2024-11-21T07:40:38.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.2, "source": "ykramarz@cisco.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-13T17:15:09.253", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lnt-L9zOkBz5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lnt-L9zOkBz5"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "ykramarz@cisco.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-367"}], "source": "nvd@nist.gov", "type": "Primary"}]}