Strix
26.1K

CVE-2019-12662

MEDIUMCVSS 6.7/10EPSS 0.30%

Last modified

CVE-2019-12662 is a medium-severity vulnerability rated 6.7/10 on the CVSS scale. A vulnerability in Cisco NX-OS Software and Cisco IOS XE Software could allow an authenticated, local attacker with valid administrator or privilege level 15 credentials to load a virtual service image and bypass signature verification on an affected device. The vulnerability is due to improper signature verification during the installation of an Open Virtual Appliance (OVA) image. EPSS estimates a 0.30% chance of exploitation in the next 30 days.

Description

A vulnerability in Cisco NX-OS Software and Cisco IOS XE Software could allow an authenticated, local attacker with valid administrator or privilege level 15 credentials to load a virtual service image and bypass signature verification on an affected device. The vulnerability is due to improper signature verification during the installation of an Open Virtual Appliance (OVA) image. An authenticated, local attacker could exploit this vulnerability and load a malicious, unsigned OVA image on an affected device. A successful exploit could allow an attacker to perform code execution on a crafted software OVA image.

Metrics

CVSS 3.1
6.7/10

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.30%

22.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
CiscoIos Xe16.8.1
CiscoNx-Os8.1\(0.2\)s0
CiscoNx-Os8.1\(1\)
CiscoNx-Os8.1\(1\)s5
CiscoNx-Os8.1\(0\)bd\(0.20\)
CiscoNexus 3016 FirmwareAll versions
CiscoNexus 3048 FirmwareAll versions
CiscoNexus 3064 FirmwareAll versions
CiscoNexus 3064-T FirmwareAll versions
CiscoNexus 31108pc-V FirmwareAll versions
CiscoNexus 31108tc-V FirmwareAll versions
CiscoNexus 31128pq FirmwareAll versions
CiscoNexus 3132c-Z FirmwareAll versions
CiscoNexus 3132q FirmwareAll versions
CiscoNexus 3132q-V FirmwareAll versions
CiscoNexus 3132q-Xl FirmwareAll versions
CiscoNexus 3164q FirmwareAll versions
CiscoNexus 3172 FirmwareAll versions
CiscoNexus 3172pq-Xl FirmwareAll versions
CiscoNexus 3172tq FirmwareAll versions
CiscoNexus 3172tq-32t FirmwareAll versions
CiscoNexus 3172tq-Xl FirmwareAll versions
CiscoNexus 3232c FirmwareAll versions
CiscoNexus 3264c-E FirmwareAll versions
CiscoNexus 3264q FirmwareAll versions
CiscoNexus 3408-S FirmwareAll versions
CiscoNexus 34180yc FirmwareAll versions
CiscoNexus 34200yc-Sm FirmwareAll versions
CiscoNexus 3432d-S FirmwareAll versions
CiscoNexus 3464c FirmwareAll versions
CiscoNexus 3524 FirmwareAll versions
CiscoNexus 3524-X FirmwareAll versions
CiscoNexus 3524-Xl FirmwareAll versions
CiscoNexus 3548 FirmwareAll versions
CiscoNexus 3548-X FirmwareAll versions
CiscoNexus 3548-Xl FirmwareAll versions
CiscoNexus 5548p FirmwareAll versions
CiscoNexus 5548up FirmwareAll versions
CiscoNexus 5596t FirmwareAll versions
CiscoNexus 5596up FirmwareAll versions
CiscoNexus 56128p FirmwareAll versions
CiscoNexus 5624q FirmwareAll versions
CiscoNexus 5648q FirmwareAll versions
CiscoNexus 5672up FirmwareAll versions
CiscoNexus 5696q FirmwareAll versions
CiscoNexus 6001 FirmwareAll versions
CiscoNexus 6004 FirmwareAll versions
CiscoNexus 7000 10-Slot FirmwareAll versions
CiscoNexus 7000 18-Slot FirmwareAll versions
CiscoNexus 7000 4-Slot FirmwareAll versions

Showing 50 of 55 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-12662?
A vulnerability in Cisco NX-OS Software and Cisco IOS XE Software could allow an authenticated, local attacker with valid administrator or privilege level 15 credentials to load a virtual service image and bypass signature verification on an affected device. The vulnerability is due to improper signature verification during the installation of an Open Virtual Appliance (OVA) image. An authenticated, local attacker could exploit this vulnerability and load a malicious, unsigned OVA image on an affected device. A successful exploit could allow an attacker to perform code execution on a crafted software OVA image.
How severe is CVE-2019-12662?
CVE-2019-12662 has a CVSS score of 6.7/10 (MEDIUM severity). The EPSS model estimates a 0.30% probability of exploitation in the next 30 days.
How do I fix CVE-2019-12662?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-12662?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST