CVE-2023-20016
6.5
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Exploitability: 2.0 / Impact: 4.0
Source: NVD
Description
A vulnerability in the backup configuration feature of Cisco UCS Manager Software and in the configuration export feature of Cisco FXOS Software could allow an unauthenticated attacker with access to a backup file to decrypt sensitive information stored in the full state and configuration backup files. This vulnerability is due to a weakness in the encryption method used for the backup function. An attacker could exploit this vulnerability by leveraging a static key used for the backup configuration feature. A successful exploit could allow the attacker to decrypt sensitive information that is stored in full state and configuration backup files, such as local user credentials, authentication server passwords, Simple Network Management Protocol (SNMP) community names, and other credentials.
Affected (12)
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| All versions |
| Running on/with | Platform Versions |
|---|---|
Cisco Ucs 6536 | All versions |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| All versions |
| Running on/with | Platform Versions |
|---|---|
Cisco Ucs 64108 | All versions |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| All versions |
| Running on/with | Platform Versions |
|---|---|
Cisco Ucs 6454 | All versions |
Configuration D
| Vulnerable Software | Affected Versions |
|---|---|
| All versions |
| Running on/with | Platform Versions |
|---|---|
Cisco Ucs 6200 | All versions |
Configuration E
| Vulnerable Software | Affected Versions |
|---|---|
| All versions |
| Running on/with | Platform Versions |
|---|---|
Cisco Ucs 6248up | All versions |
Configuration F
| Vulnerable Software | Affected Versions |
|---|---|
| All versions |
| Running on/with | Platform Versions |
|---|---|
Cisco Ucs 6296up | All versions |
Configuration G
| Vulnerable Software | Affected Versions |
|---|---|
| All versions |
| Running on/with | Platform Versions |
|---|---|
Cisco Ucs 6300 | All versions |
Configuration H
| Vulnerable Software | Affected Versions |
|---|---|
| All versions |
| Running on/with | Platform Versions |
|---|---|
Cisco Ucs 6324 | All versions |
Configuration I
| Vulnerable Software | Affected Versions |
|---|---|
| All versions |
| Running on/with | Platform Versions |
|---|---|
Cisco Ucs 6332 | All versions |
Configuration J
| Vulnerable Software | Affected Versions |
|---|---|
| All versions | |
| Before 4.2\(3c\) |
| Running on/with | Platform Versions |
|---|---|
Cisco Ucs 6332 16up | All versions |
Configuration K
| Vulnerable Software | Affected Versions |
|---|---|
| Before 2.6.1 |
| Running on/with | Platform Versions |
|---|---|
Cisco Firepower 4100 | All versions |
Cisco Firepower 4110 | All versions |
Cisco Firepower 4112 | All versions |
Cisco Firepower 4115 | All versions |
Cisco Firepower 4120 | All versions |
Cisco Firepower 4125 | All versions |
Cisco Firepower 4140 | All versions |
Cisco Firepower 4145 | All versions |
Cisco Firepower 4150 | All versions |
Cisco Firepower 9300 Sm 24 | All versions |
Cisco Firepower 9300 Sm 36 | All versions |
Cisco Firepower 9300 Sm 40 | All versions |
Cisco Firepower 9300 Sm 44 | All versions |
Cisco Firepower 9300 Sm 44 X 3 | All versions |
Cisco Firepower 9300 Sm 48 | All versions |
Cisco Firepower 9300 Sm 56 | All versions |
Cisco Firepower 9300 Sm 56 X 3 | All versions |
Related CWEs
CWE-321
Use of Hard-coded Cryptographic Key
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
CWE-330
Use of Insufficiently Random Values
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
References (2)
Source: psirt@cisco.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.