Symptom

A vulnerability in the Image Verification feature of Cisco IOS XE Software could allow an authenticated, local attacker to bypass signature verification when loading a software image. The vulnerability is due to improper validation of digitally signed images. An attacker could exploit this vulnerability by uploading a malicious image to the affected system. An exploit could allow the attacker to install malicious files on the targeted system.

Conditions

Device running an affected version of software. To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com at the following link: https://tools.cisco.com/security/center/softwarechecker.x

Workaround

None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 4.4: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.0&vector=CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:X/RL:X/RC:X CVE ID has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Further Problem Description