cisco-sa-iosxr-pxe-unsign-code-exec-qaa78fd2
Vulnerability from csaf_cisco
Published
2020-11-04 16:00
Modified
2020-12-01 17:50
Summary
Cisco IOS XR Software Enhanced Preboot eXecution Environment Unsigned Code Execution Vulnerability
Notes
Summary
A vulnerability in the enhanced Preboot eXecution Environment (PXE) boot loader for Cisco IOS XR 64-bit Software could allow an unauthenticated, remote attacker to execute unsigned code during the PXE boot process on an affected device. The PXE boot loader is part of the BIOS and runs over the management interface of hardware platforms that are running Cisco IOS XR Software only.
The vulnerability exists because internal commands that are issued when the PXE network boot process is loading a software image are not properly verified. An attacker could exploit this vulnerability by compromising the PXE boot server and replacing a valid software image with a malicious one. Alternatively, the attacker could impersonate the PXE boot server and send a PXE boot reply with a malicious file. A successful exploit could allow the attacker to execute unsigned code on the affected device.
Note: To fix this vulnerability, both the Cisco IOS XR Software and the BIOS must be upgraded. The BIOS code is included in Cisco IOS XR Software but might require additional installation steps. For further information, see the Fixed Software ["#fs"] section of this advisory.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2 ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2"]
Vulnerable Products
This vulnerability affects Cisco devices if they are running a vulnerable release of Cisco IOS XR 64-bit Software and the following conditions are met:
The product ID (PID) of the device matches one of the PIDs listed in the Fixed Software ["#fs"] section of this advisory.
The device is running a vulnerable BIOS version.
The device uses PXE for network boot.
For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory.
Determine the Product ID
To check the PID of a device, use the show inventory raw CLI command. The following example shows the output of the command for a device that has the PID NC55-RP:
RP/0/RP0/CPU0:router# show inventory raw
.
. .
NAME: "0/RP0", DESCR: "NCS 5500 Route Processor"
PID: NC55-RP , VID: V01, SN: SAL1926HRW5
NAME: "0/1/* - cpu", DESCR: "cpu"
PID: , VID: V00, SN: SAD093000JR
NAME: "0/1/* - cpu - 1.6V_P0", DESCR: "Voltage Sensor"
PID: , VID: N/A, SN:
.
. .
If the PID is listed in one of the tables in the Fixed Software ["#fs"] section of this advisory, then the device may be vulnerable if it is running a vulnerable BIOS version and is using PXE for network boot.
Determine the BIOS Version
To determine which BIOS version is running on a device, use the show fpd package CLI command. The following example shows the output for a device that has the PID A9K-RSP880-LT-TR and is running BIOS version 17.16:
RP/0/RSP0/CPU0:router# show fpd package
Wed Nov 4 21:55:45.713 UTC =======================
================================================
Field Programmable Device Package
================================================ Card Type FPD Description Type Subtype SW
Version Min Req
SW Vers Min Req
HW Vers ======================= ========================== ==== ======= =========== ======== ========= ASR-9910-BPID2 Can Bus Ctrl (CBC) BP2
Can Bus Ctrl (CBC) BP2 bp
lc cbc
cbc 7.105
7.105 0.00
0.00 0.1
0.1 --------------------------------------------------------------------------------------------------------------------
.
.
.
A9K-RSP880-LT-TR Can Bus Ctrl (CBC) RSP4
MB CPUCtrl
DBCtrl
DBCtrl
DBCtrl
Fsbl
LinuxFW
ROMMONB RSP4L
lc
lc
lc
lc
lc
lc
lc
lc
cbc
fpga2
fpga3
fpga4
fpga5
fsbl
lnxfw
rommon 50.01
0.13
0.05
0.04
0.04
1.103
1.103
17.16 0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00 0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0 -------------------------------------------------------------------------------------------------------------------- .
.
.
To determine which BIOS version is running on a Network Convergence System 5500 Series Router, use the show hw-module fpd Bootloader CLI command. The following example shows the output for a device that has the PID NC55-RP-E and is running BIOS version 1.20.
RP/0/RP0/CPU0:router#show hw-module fpd Bootloader
Wed Sep 11 18:43:06.989 UTC FPD Versions
=================
Location Card type HWver FPD device ATR Status Running Programd
------------------------------------------------------------------------------
0/5 NC55-MOD-A-S 0.201 Bootloader CURRENT 1.02 1.02
0/6 NC55-24H12F-SE 0.0 Bootloader NEED UPGD 1.11 1.11
0/RP0 NC55-RP-E 1.1 Bootloader CURRENT 1.20 1.20
0/RP1 NC55-RP-E 1.1 Bootloader CURRENT 1.20 1.20
.
. .
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
8000 Series Routers
Carrier Routing System (CRS-X)
IOS Software
IOS XE Software
IOS XR 32-bit Software
IOS XR White box (IOSXRWBD)
IOS XRv 9000 Router
Network Convergence System (NCS) 6000 Series Routers
NX-OS Software
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
UCS B-Series Blade Servers
UCS C-Series M3 Rack Servers - Standalone
UCS C-Series M4 Rack Servers - Standalone
UCS C-Series M5 Rack Servers - Managed
UCS C-Series M5 Rack Servers - Standalone
Details
PXE is included in the network card of the management interface of routers that are running Cisco IOS XR Software and is part of the device BIOS. PXE is used to re-image the system and boot the router in case of boot failure or in the absence of a valid, bootable partition. PXE acts as a bootloader and provides the flexibility to choose the image that the system will boot based on the PID, the serial number, or the management interface MAC address. PXE downloads an ISO image, which is specified as part of the PXE reply from a PXE boot server, installs the ISO contents onto the device, and then transfers control to the installed software image.
PXE must be defined in the DHCP server configuration file. For additional information, see Boot using iPXE ["https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/system-setup/60x/b-ncs5500-system-setup-guide-60x/b-system-setup-ncs5k_chapter_0111.html#concept_F52D0A35637E4583972405EA4164C229"] and Boot the Router Using iPXE ["https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-5/system-setup/configuration/guide/b-system-setup-cg-asr9000-65x/b-system-setup-cg-asr9000_chapter_010.html#id_89365"].
Workarounds
There are no workarounds that address this vulnerability.
Fixed Software
Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html ["https://www.cisco.com/c/en/us/products/end-user-license-agreement.html"]
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"]
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
In the following tables, the left column lists the PIDs of Cisco products that may be affected by this vulnerability. The center column lists the first release of Cisco IOS XR 64-bit Software that includes the fix for this vulnerability. The right column lists the first version of the BIOS that includes the fix for this vulnerability.
PIDs that are not shown in these tables are not known to be affected by this vulnerability. BIOS versions earlier than the first fixed version are affected by this vulnerability.
A fixed BIOS image must be installed on the device in order to fix this vulnerability. The BIOS image is not provided in a standalone package but is embedded in Cisco IOS XR Software. In some cases, the BIOS may not automatically update when Cisco IOS XR Software is upgraded. To check the BIOS version, use the show fpd package or show hw-module fpd Bootloader command, as shown in the Vulnerable Products ["#vp"] section. If the BIOS has not been upgraded to a fixed version, as listed below, see Upgrading Field-Programmable Device ["https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/sysman/66x/b-system-management-cg-ncs5500-66x/b-system-management-cg-ncs5500-66x_chapter_01101.html"] and use the upgrade hw-module location command to upgrade the BIOS.
ASR 9000 Series Route Switch Processor
Cisco ASR 9000 Series PIDs1 First Fixed Release of Cisco IOS XR Software for This Vulnerability First Fixed BIOS Version for This Vulnerability A9K-RSP880-SE
A9K-RSP880-TR 6.5.2 10.65 A99-RP2-SE
A99-RP2-TR 6.5.2 14.35 A99-RSP-SE
A99-RSP-TR 6.5.2 16.14 A9K-RSP880-LT-SE
A9K-RSP880-LT-TR 6.5.2 17.34 ASR-9901-RP 6.5.2 22.20 A99-RP3-SE
A99-RP3-TR 6.5.2 30.23 A9K-RSP5-SE
A9K-RSP5-TR 6.5.2 31.20
1. Some PIDs may apply to devices that can run both the 32-bit and 64-bit images of Cisco IOS XR Software. Only the 64-bit image is known to be vulnerable.
Network Convergence System 1000 Series
Cisco NCS 1000 Series PIDs1 First Fixed Release of Cisco IOS XR Software for This Vulnerability First Fixed BIOS Version for This Vulnerability NCS1001
NCS1002
NCS1004 7.1.1 14.60
1. All PIDs and all permutations of each PID for this device are vulnerable.
Network Convergence System 540 Routers
Cisco NCS 540 PIDs First Fixed Release of Cisco IOS XR Software for This Vulnerability First Fixed BIOS Version for This Vulnerability N540-12Z20G-SYS-A/D
N540-28Z4C-SYS-A/D
N540X-16Z4G8Q2C-A/D
N540X-12Z16G-SYS-A/D 7.2.1 1.17 N540-24Z8Q2C-M
N540-ACC-SYS 7.2.1 1.13
Network Convergence System 560 Routers
Cisco NCS 560 PIDs First Fixed Release of Cisco IOS XR Software for This Vulnerability First Fixed BIOS Version for This Vulnerability N560-4-SYS1
N560-7-SYS1 6.6.3 and 7.0.2 0.14
1. All permutations of this PID are vulnerable.
Network Convergence System 5000 Series Routers
Cisco NCS 5000 Series PIDs1 First Fixed Release of Cisco IOS XR Software for This Vulnerability First Fixed BIOS Version for This Vulnerability NCS5001
NCS5002 7.2.1 1.13 NCS5011 7.2.1 1.14
1. All PIDs and all permutations of each PID for this device are vulnerable.
Network Convergence System 5500 Series Routers
Cisco NCS 5500 Series PIDs1 First Fixed Release of Cisco IOS XR Software for This Vulnerability First Fixed BIOS Version for This Vulnerability NC55-RP 6.6.3 9.30 NC55-RP-E
NCS-5501
NCS-5501-SE
NCS-5502
NCS-5502-SE 6.6.3 1.21 NCS-55A2-MOD-S
NCS-55A2-MOD-HD-S
NCS-55A2-MOD-HX-S
NCS-55A2-MOD-SE-S
NCS-55A2-MOD-SE-H-S
NCS-55A1-36H-SE-S
NCS-55A1-36H-S
NCS-55A1-24H
NCS55-A1-48Q6H
NCS-55A1-24Q6H-S 6.6.3 1.12
1. NC55-RP2-E is not vulnerable.
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Source
This vulnerability was found by Martin Ramsdale of Cisco during internal security testing.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
{
"document": {
"acknowledgments": [
{
"summary": "This vulnerability was found by Martin Ramsdale of Cisco during internal security testing."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "A vulnerability in the enhanced Preboot eXecution Environment (PXE) boot loader for Cisco IOS XR 64-bit Software could allow an unauthenticated, remote attacker to execute unsigned code during the PXE boot process on an affected device. The PXE boot loader is part of the BIOS and runs over the management interface of hardware platforms that are running Cisco IOS XR Software only.\r\n\r\nThe vulnerability exists because internal commands that are issued when the PXE network boot process is loading a software image are not properly verified. An attacker could exploit this vulnerability by compromising the PXE boot server and replacing a valid software image with a malicious one. Alternatively, the attacker could impersonate the PXE boot server and send a PXE boot reply with a malicious file. A successful exploit could allow the attacker to execute unsigned code on the affected device.\r\n\r\nNote: To fix this vulnerability, both the Cisco IOS XR Software and the BIOS must be upgraded. The BIOS code is included in Cisco IOS XR Software but might require additional installation steps. For further information, see the Fixed Software [\"#fs\"] section of this advisory.\r\n\r\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\r\n\r\nThis advisory is available at the following link:\r\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2 [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2\"]",
"title": "Summary"
},
{
"category": "general",
"text": "This vulnerability affects Cisco devices if they are running a vulnerable release of Cisco IOS XR 64-bit Software and the following conditions are met:\r\n\r\nThe product ID (PID) of the device matches one of the PIDs listed in the Fixed Software [\"#fs\"] section of this advisory.\r\nThe device is running a vulnerable BIOS version.\r\nThe device uses PXE for network boot.\r\n\r\nFor information about which Cisco software releases are vulnerable, see the Fixed Software [\"#fs\"] section of this advisory.\r\n Determine the Product ID\r\nTo check the PID of a device, use the show inventory raw CLI command. The following example shows the output of the command for a device that has the PID NC55-RP:\r\n\r\n\r\nRP/0/RP0/CPU0:router# show inventory raw\r\n.\r\n. .\r\n\r\nNAME: \"0/RP0\", DESCR: \"NCS 5500 Route Processor\"\r\nPID: NC55-RP , VID: V01, SN: SAL1926HRW5\r\nNAME: \"0/1/* - cpu\", DESCR: \"cpu\"\r\nPID: , VID: V00, SN: SAD093000JR\r\n\r\nNAME: \"0/1/* - cpu - 1.6V_P0\", DESCR: \"Voltage Sensor\"\r\nPID: , VID: N/A, SN:\r\n.\r\n. .\r\n\r\nIf the PID is listed in one of the tables in the Fixed Software [\"#fs\"] section of this advisory, then the device may be vulnerable if it is running a vulnerable BIOS version and is using PXE for network boot.\r\n Determine the BIOS Version\r\nTo determine which BIOS version is running on a device, use the show fpd package CLI command. The following example shows the output for a device that has the PID A9K-RSP880-LT-TR and is running BIOS version 17.16:\r\n RP/0/RSP0/CPU0:router# show fpd package\r\nWed Nov 4 21:55:45.713 UTC =======================\r\n\r\n ================================================\r\n Field Programmable Device Package\r\n================================================ Card Type FPD Description Type Subtype SW\r\nVersion Min Req\r\nSW Vers Min Req\r\nHW Vers ======================= ========================== ==== ======= =========== ======== ========= ASR-9910-BPID2 Can Bus Ctrl (CBC) BP2\r\nCan Bus Ctrl (CBC) BP2 bp\r\nlc cbc\r\ncbc 7.105\r\n7.105 0.00\r\n0.00 0.1\r\n0.1 --------------------------------------------------------------------------------------------------------------------\r\n.\r\n.\r\n.\r\n A9K-RSP880-LT-TR Can Bus Ctrl (CBC) RSP4\r\nMB CPUCtrl\r\nDBCtrl\r\nDBCtrl\r\nDBCtrl\r\nFsbl\r\nLinuxFW\r\nROMMONB RSP4L\r\nlc\r\nlc\r\nlc\r\nlc\r\nlc\r\nlc\r\nlc\r\nlc\r\n cbc\r\nfpga2\r\nfpga3\r\nfpga4\r\nfpga5\r\nfsbl\r\nlnxfw\r\nrommon 50.01\r\n 0.13\r\n 0.05\r\n 0.04\r\n 0.04\r\n 1.103\r\n 1.103\r\n17.16 0.00\r\n0.00\r\n0.00\r\n0.00\r\n0.00\r\n0.00\r\n0.00\r\n0.00 0.0\r\n0.0\r\n0.0\r\n0.0\r\n0.0\r\n0.0\r\n0.0\r\n0.0 -------------------------------------------------------------------------------------------------------------------- .\r\n.\r\n.\r\nTo determine which BIOS version is running on a Network Convergence System 5500 Series Router, use the show hw-module fpd Bootloader CLI command. The following example shows the output for a device that has the PID NC55-RP-E and is running BIOS version 1.20.\r\n\r\n\r\nRP/0/RP0/CPU0:router#show hw-module fpd Bootloader\r\nWed Sep 11 18:43:06.989 UTC FPD Versions\r\n=================\r\nLocation Card type HWver FPD device ATR Status Running Programd\r\n------------------------------------------------------------------------------\r\n0/5 NC55-MOD-A-S 0.201 Bootloader CURRENT 1.02 1.02\r\n0/6 NC55-24H12F-SE 0.0 Bootloader NEED UPGD 1.11 1.11\r\n0/RP0 NC55-RP-E 1.1 Bootloader CURRENT 1.20 1.20\r\n0/RP1 NC55-RP-E 1.1 Bootloader CURRENT 1.20 1.20\r\n.\r\n. .",
"title": "Vulnerable Products"
},
{
"category": "general",
"text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.\r\n\r\nCisco has confirmed that this vulnerability does not affect the following Cisco products:\r\n\r\n8000 Series Routers\r\nCarrier Routing System (CRS-X)\r\nIOS Software\r\nIOS XE Software\r\nIOS XR 32-bit Software\r\nIOS XR White box (IOSXRWBD)\r\nIOS XRv 9000 Router\r\nNetwork Convergence System (NCS) 6000 Series Routers\r\nNX-OS Software\r\nUCS 6200 Series Fabric Interconnects\r\nUCS 6300 Series Fabric Interconnects\r\nUCS 6400 Series Fabric Interconnects\r\nUCS B-Series Blade Servers\r\nUCS C-Series M3 Rack Servers - Standalone\r\nUCS C-Series M4 Rack Servers - Standalone\r\nUCS C-Series M5 Rack Servers - Managed\r\nUCS C-Series M5 Rack Servers - Standalone",
"title": "Products Confirmed Not Vulnerable"
},
{
"category": "general",
"text": "PXE is included in the network card of the management interface of routers that are running Cisco IOS XR Software and is part of the device BIOS. PXE is used to re-image the system and boot the router in case of boot failure or in the absence of a valid, bootable partition. PXE acts as a bootloader and provides the flexibility to choose the image that the system will boot based on the PID, the serial number, or the management interface MAC address. PXE downloads an ISO image, which is specified as part of the PXE reply from a PXE boot server, installs the ISO contents onto the device, and then transfers control to the installed software image.\r\n\r\nPXE must be defined in the DHCP server configuration file. For additional information, see Boot using iPXE [\"https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/system-setup/60x/b-ncs5500-system-setup-guide-60x/b-system-setup-ncs5k_chapter_0111.html#concept_F52D0A35637E4583972405EA4164C229\"] and Boot the Router Using iPXE [\"https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-5/system-setup/configuration/guide/b-system-setup-cg-asr9000-65x/b-system-setup-cg-asr9000_chapter_010.html#id_89365\"].",
"title": "Details"
},
{
"category": "general",
"text": "There are no workarounds that address this vulnerability.",
"title": "Workarounds"
},
{
"category": "general",
"text": "Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:\r\nhttps://www.cisco.com/c/en/us/products/end-user-license-agreement.html [\"https://www.cisco.com/c/en/us/products/end-user-license-agreement.html\"]\r\n\r\nAdditionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.\r\n\r\nWhen considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\r\n Customers Without Service Contracts\r\nCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"]\r\n\r\nCustomers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.\r\n Fixed Releases\r\nIn the following tables, the left column lists the PIDs of Cisco products that may be affected by this vulnerability. The center column lists the first release of Cisco IOS XR 64-bit Software that includes the fix for this vulnerability. The right column lists the first version of the BIOS that includes the fix for this vulnerability.\r\n\r\nPIDs that are not shown in these tables are not known to be affected by this vulnerability. BIOS versions earlier than the first fixed version are affected by this vulnerability.\r\n\r\nA fixed BIOS image must be installed on the device in order to fix this vulnerability. The BIOS image is not provided in a standalone package but is embedded in Cisco IOS XR Software. In some cases, the BIOS may not automatically update when Cisco IOS XR Software is upgraded. To check the BIOS version, use the show fpd package or show hw-module fpd Bootloader command, as shown in the Vulnerable Products [\"#vp\"] section. If the BIOS has not been upgraded to a fixed version, as listed below, see Upgrading Field-Programmable Device [\"https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/sysman/66x/b-system-management-cg-ncs5500-66x/b-system-management-cg-ncs5500-66x_chapter_01101.html\"] and use the upgrade hw-module location command to upgrade the BIOS.\r\n\r\nASR 9000 Series Route Switch Processor\r\n Cisco ASR 9000 Series PIDs1 First Fixed Release of Cisco IOS XR Software for This Vulnerability First Fixed BIOS Version for This Vulnerability A9K-RSP880-SE\r\nA9K-RSP880-TR 6.5.2 10.65 A99-RP2-SE\r\nA99-RP2-TR 6.5.2 14.35 A99-RSP-SE\r\nA99-RSP-TR 6.5.2 16.14 A9K-RSP880-LT-SE\r\nA9K-RSP880-LT-TR 6.5.2 17.34 ASR-9901-RP 6.5.2 22.20 A99-RP3-SE\r\nA99-RP3-TR 6.5.2 30.23 A9K-RSP5-SE\r\nA9K-RSP5-TR 6.5.2 31.20\r\n1. Some PIDs may apply to devices that can run both the 32-bit and 64-bit images of Cisco IOS XR Software. Only the 64-bit image is known to be vulnerable.\r\nNetwork Convergence System 1000 Series\r\n Cisco NCS 1000 Series PIDs1 First Fixed Release of Cisco IOS XR Software for This Vulnerability First Fixed BIOS Version for This Vulnerability NCS1001\r\nNCS1002\r\nNCS1004 7.1.1 14.60\r\n1. All PIDs and all permutations of each PID for this device are vulnerable.\r\nNetwork Convergence System 540 Routers\r\n Cisco NCS 540 PIDs First Fixed Release of Cisco IOS XR Software for This Vulnerability First Fixed BIOS Version for This Vulnerability N540-12Z20G-SYS-A/D\r\nN540-28Z4C-SYS-A/D\r\nN540X-16Z4G8Q2C-A/D\r\nN540X-12Z16G-SYS-A/D 7.2.1 1.17 N540-24Z8Q2C-M\r\nN540-ACC-SYS 7.2.1 1.13\r\nNetwork Convergence System 560 Routers\r\n Cisco NCS 560 PIDs First Fixed Release of Cisco IOS XR Software for This Vulnerability First Fixed BIOS Version for This Vulnerability N560-4-SYS1\r\nN560-7-SYS1 6.6.3 and 7.0.2 0.14\r\n1. All permutations of this PID are vulnerable.\r\nNetwork Convergence System 5000 Series Routers\r\n Cisco NCS 5000 Series PIDs1 First Fixed Release of Cisco IOS XR Software for This Vulnerability First Fixed BIOS Version for This Vulnerability NCS5001\r\nNCS5002 7.2.1 1.13 NCS5011 7.2.1 1.14\r\n1. All PIDs and all permutations of each PID for this device are vulnerable.\r\nNetwork Convergence System 5500 Series Routers\r\n Cisco NCS 5500 Series PIDs1 First Fixed Release of Cisco IOS XR Software for This Vulnerability First Fixed BIOS Version for This Vulnerability NC55-RP 6.6.3 9.30 NC55-RP-E\r\nNCS-5501\r\nNCS-5501-SE\r\nNCS-5502\r\nNCS-5502-SE 6.6.3 1.21 NCS-55A2-MOD-S\r\nNCS-55A2-MOD-HD-S\r\nNCS-55A2-MOD-HX-S\r\nNCS-55A2-MOD-SE-S\r\nNCS-55A2-MOD-SE-H-S\r\nNCS-55A1-36H-SE-S\r\nNCS-55A1-36H-S\r\nNCS-55A1-24H\r\nNCS55-A1-48Q6H\r\nNCS-55A1-24Q6H-S 6.6.3 1.12\r\n1. NC55-RP2-E is not vulnerable.",
"title": "Fixed Software"
},
{
"category": "general",
"text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
"title": "Vulnerability Policy"
},
{
"category": "general",
"text": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.",
"title": "Exploitation and Public Announcements"
},
{
"category": "general",
"text": "This vulnerability was found by Martin Ramsdale of Cisco during internal security testing.",
"title": "Source"
},
{
"category": "legal_disclaimer",
"text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
"title": "Legal Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",
"issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
"name": "Cisco",
"namespace": "https://wwww.cisco.com"
},
"references": [
{
"category": "self",
"summary": "Cisco IOS XR Software Enhanced Preboot eXecution Environment Unsigned Code Execution Vulnerability",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2"
},
{
"category": "external",
"summary": "Cisco Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2"
},
{
"category": "external",
"summary": "Boot using iPXE",
"url": "https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/system-setup/60x/b-ncs5500-system-setup-guide-60x/b-system-setup-ncs5k_chapter_0111.html#concept_F52D0A35637E4583972405EA4164C229"
},
{
"category": "external",
"summary": "Boot the Router Using iPXE",
"url": "https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-5/system-setup/configuration/guide/b-system-setup-cg-asr9000-65x/b-system-setup-cg-asr9000_chapter_010.html#id_89365"
},
{
"category": "external",
"summary": "https://www.cisco.com/c/en/us/products/end-user-license-agreement.html",
"url": "https://www.cisco.com/c/en/us/products/end-user-license-agreement.html"
},
{
"category": "external",
"summary": "considering software upgrades",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
},
{
"category": "external",
"summary": "Cisco\u0026nbsp;Security Advisories page",
"url": "https://www.cisco.com/go/psirt"
},
{
"category": "external",
"summary": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html",
"url": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"
},
{
"category": "external",
"summary": "Upgrading Field-Programmable Device",
"url": "https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/sysman/66x/b-system-management-cg-ncs5500-66x/b-system-management-cg-ncs5500-66x_chapter_01101.html"
},
{
"category": "external",
"summary": "Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
}
],
"title": "Cisco IOS XR Software Enhanced Preboot eXecution Environment Unsigned Code Execution Vulnerability",
"tracking": {
"current_release_date": "2020-12-01T17:50:58+00:00",
"generator": {
"date": "2022-09-03T03:31:03+00:00",
"engine": {
"name": "TVCE"
}
},
"id": "cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2",
"initial_release_date": "2020-11-04T16:00:00+00:00",
"revision_history": [
{
"date": "2020-10-30T17:25:26+00:00",
"number": "1.0.0",
"summary": "Initial public release."
},
{
"date": "2020-11-04T22:00:41+00:00",
"number": "1.1.0",
"summary": "Clarified the first vulnerable release and added the show fpd package command to determine the BIOS version."
},
{
"date": "2020-11-17T20:46:21+00:00",
"number": "1.2.0",
"summary": "Removed 6.6.25 as a fixed release."
},
{
"date": "2020-12-01T17:50:58+00:00",
"number": "1.3.0",
"summary": "In the Fixed Software section the Network Convergence System 540 Routers table was modified to accurately reflect the First Fixed Bios version."
}
],
"status": "final",
"version": "1.3.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_family",
"name": "Cisco IOS XR Software",
"product": {
"name": "Cisco IOS XR Software ",
"product_id": "CSAFPID-5834"
}
}
],
"category": "vendor",
"name": "Cisco"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-3284",
"ids": [
{
"system_name": "Cisco Bug ID",
"text": "CSCvi82550"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCvq23340"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCvq31064"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCvu31574"
}
],
"notes": [
{
"category": "other",
"text": "Complete.",
"title": "Affected Product Comprehensiveness"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5834"
]
},
"release_date": "2019-08-01T17:21:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Cisco has released software updates that address this vulnerability.",
"product_ids": [
"CSAFPID-5834"
],
"url": "https://software.cisco.com"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-5834"
]
}
],
"title": "Cisco IOS XR Software Enhanced Preboot eXecution Environment (iPXE) Secure Boot Bypass Vulnerability "
}
]
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.