CVE-2023-20064 — MEDIUM (4.6)

Q: How severe is CVE-2023-20064?

CVE-2023-20064 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-20064?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Ios Xr, Cisco Asr 9000V-V2, Cisco Asr 9001, Cisco Asr 9006, Cisco Asr 9010.

Vulnerability Description

A vulnerability in the GRand Unified Bootloader (GRUB) for Cisco IOS XR Software could allow an unauthenticated attacker with physical access to the device to view sensitive files on the console using the GRUB bootloader command line. This vulnerability is due to the inclusion of unnecessary commands within the GRUB environment that allow sensitive files to be viewed. An attacker could exploit this vulnerability by being connected to the console port of the Cisco IOS XR device when the device is power-cycled. A successful exploit could allow the attacker to view sensitive files that could be used to conduct additional attacks against the device.

CVSS Score

4.6

MEDIUM

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Cisco	Ios Xr	< 7.9.1
Cisco	Asr 9000V-V2	-
Cisco	Asr 9001	-
Cisco	Asr 9006	-
Cisco	Asr 9010	-
Cisco	Asr 9901	-
Cisco	Asr 9902	-
Cisco	Asr 9903	-
Cisco	Asr 9904	-
Cisco	Asr 9906	-
Cisco	Asr 9910	-
Cisco	Asr 9912	-
Cisco	Asr 9922	-
Cisco	Ios Xrv 9000	-
Cisco	Ncs 1001	-
Cisco	Ncs 1002	-
Cisco	Ncs 1004	-
Cisco	Nc57-18Dd-Se	-
Cisco	Nc57-24Dd	-
Cisco	Nc57-36H-Se	-

Related Weaknesses (CWE)

CWE-862

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ciVendor Advisory
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ciVendor Advisory

FAQ

What is CVE-2023-20064?

CVE-2023-20064 is a vulnerability with a CVSS score of 4.6 (MEDIUM). A vulnerability in the GRand Unified Bootloader (GRUB) for Cisco IOS XR Software could allow an unauthenticated attacker with physical access to the device to view sensitive files on the console using...

How severe is CVE-2023-20064?

CVE-2023-20064 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-20064?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Ios Xr, Cisco Asr 9000V-V2, Cisco Asr 9001, Cisco Asr 9006, Cisco Asr 9010.