What is the severity of CVE-2019-1649?

The severity of CVE-2019-1649 is rated as high due to the potential for an authenticated, local attacker to modify firmware.

How do I fix CVE-2019-1649?

To fix CVE-2019-1649, upgrade your Cisco Secure Boot implementation to the recommended version as provided in Cisco's advisory.

Which Cisco devices are affected by CVE-2019-1649?

CVE-2019-1649 affects multiple Cisco hardware, primarily within the Cisco ASA and Firepower series firmware.

Is CVE-2019-1649 a remote or local vulnerability?

CVE-2019-1649 is a local vulnerability that requires authentication to exploit.

What is the impact of exploiting CVE-2019-1649?

Exploiting CVE-2019-1649 can allow an attacker to write modified firmware images, potentially compromising the device's integrity.

Vulnerability/
CVE-2019-1649

high

7.2

CWE

667 284

13/5/2019

20/11/2024

CVE-2019-1649: Cisco Secure Boot Hardware Tampering Vulnerability

First published: Mon May 13 2019(Updated: )

A vulnerability in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component. This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality. The vulnerability is due to an improper check on the area of code that manages on-premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot hardware implementation. An attacker with elevated privileges and access to the underlying operating system that is running on the affected device could exploit this vulnerability by writing a modified firmware image to the FPGA. A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image. An attacker will need to fulfill all the following conditions to attempt to exploit this vulnerability: Have privileged administrative access to the device. Be able to access the underlying operating system running on the device; this can be achieved either by using a supported, documented mechanism or by exploiting another vulnerability that would provide an attacker with such access. Develop or have access to a platform-specific exploit. An attacker attempting to exploit this vulnerability across multiple affected platforms would need to research each one of those platforms and then develop a platform-specific exploit. Although the research process could be reused across different platforms, an exploit developed for a given hardware platform is unlikely to work on a different hardware platform.

Credit: ykramarz@cisco.com

Affected Software	Affected Version	How to fix
Cisco ASA 5500 CSC-SSM firmware	<1.1.15
Cisco ASA 5506-H
Cisco ASA 5506H-X firmware
Cisco ASA 5506W-X firmware
Cisco ASA 5508-X Firmware
Cisco ASA 5516-X
Cisco Firepower 2100 Firmware	<2.6.1.134
Cisco Firepower 2110
Cisco Firepower 2120
Cisco Firepower 2130
Cisco Firepower 2140
Cisco Firepower Management Center 4000 firmware	<1.0.18
Cisco Firepower 4110 Next-Generation Firewall
Cisco Firepower 4120 Next-Generation Firewall
Cisco Firepower 4140 Next-Generation Firewall
Cisco Firepower 4150 Next-Generation Firewall
Cisco Firepower 9000 Firmware	<1.0.18
Cisco Firepower 9300 firmware
Cisco ONS 15454 firmware	<11.1
Cisco ONS 15454 SDH Multiservice Platform
Cisco Analog Voice Network Interface Modules Firmware
Cisco NIM-2BRI-NT/TE
Cisco NIM-2FXO
Cisco NIM-2FXS
Cisco nim-2fxs/4fxo
Cisco nim-2fxs/4fxop
Cisco NIM-2FXSP
Cisco NIM-4BRI-NT/TE
Cisco NIM-4E/M
Cisco NIM-4FXO
Cisco NIM-4FXS
Cisco NIM-4FXSP
Cisco integrated services router T1/E1 voice and WAN network interface modules firmware
Cisco NIM-1CE1T1-PRI
Cisco NIM-1MFT-T1/E1
Cisco NIM-2CE1T1-PRI
Cisco nim-2mft-t1/e1
Cisco NIM-4MFT-T1/E1
Cisco NIM-8CE1T1-PRI
Cisco NIM-8MFT-T1/E1
Cisco Nexus 9500 Supervisor A+ Firmware
Cisco Nexus 9000 Series Switches
Cisco Nexus 9500 Supervisor B+ Firmware
Cisco Nexus 9000 Series Supervisor Module B
Cisco ONS 15454 firmware	<11.1
Cisco 15454-m-wse-k9 firmware
Cisco IOS XE Web UI	<16.12.1
Cisco cBR-8 Converged Broadband Routers
Cisco IOS XE Web UI	<16.3.9
Cisco IOS XE Web UI	>=16.4.0<16.6.7
Cisco IOS XE Web UI	>=16.7.0<16.9.4
Cisco IOS XE Web UI	>=16.10.0<16.12.1
Cisco NIM-1GE-CU-SFP
Cisco NIM-2GE-CU-SFP
Cisco SM-X-PVDM-1000
Cisco SM-X-PVDM2K
Cisco SM-X-PVDM-3000
Cisco SM-X-PVDM-500
Cisco IOS	<15.6\(3\)m7
Cisco IOS	>=15.7<=15.7\(3\)m5
Cisco IOS	>=15.8<15.8\(3\)m3
Cisco IOS	>=15.9<15.9\(3\)m
Cisco Connected Grid Routers
Cisco Connected Grid Routers
Cisco Industrial Security Appliances 3000	<1.0.05
Cisco Industrial Security Appliances 3000 Firmware
Cisco Integrated Services Router 4200 Firmware	<1.1
Cisco 4221 Integrated Services Router
Cisco Integrated Services Router 4300 Firmware	<1.1
Cisco 4321/k9 Integrated Services Router
Cisco 4331/k9-rf Integrated Services Router
Cisco 4351/k9-rf Integrated Services Router
Cisco Integrated Services Router 4400 Firmware	<1.1
Cisco 4431 Integrated Services Router
Cisco 44461 Integrated Services Router
Cisco 4451-X Integrated Services Router
Cisco IOS	<15.6\(3\)m6b
Cisco IOS	>=15.7<=15.7\(3\)m4b
Cisco IOS	>=15.8<15.8\(3\)m2a
Cisco 809 Industrial Integrated Services Router
Cisco 829 Industrial Integrated Services Router Firmware
Cisco ASR 1000 Series
Cisco ASR 1000 Series
Cisco ASR 1000 Series Firmware
Cisco ASR 1000 Series
Cisco ASR 1000 Series
Cisco ASR 1000 ESP 200
Cisco ASR 1000 Series
Cisco ASR 1000 RP3
Cisco ASR 1001 Firmware	=16.0.0
Cisco ASR 1001
Cisco ASR 1001-X
Cisco ASR 1002 Fixed Router
Cisco IOS XE Web UI	<16.2.1
Cisco ASR 900 Route Switch Processor 2 (RSP2)
Cisco ASR 900 Route Switch Processor 2A 64
Cisco ASR 900 Route Switch Processor 3 (RSP3)
Cisco a900-rsp3c-400/w
Cisco ASR 920-10SZ-PD
Cisco ASR 920-12CZ-A
Cisco ASR 920
Cisco ASR 920-12SZ-A
Cisco ASR 920-12SZ-D
Cisco ASR 920-12SZ-IM
Cisco ASR 920 Series Router
Cisco ASR 920
Cisco ASR 920-24TZ-M
Cisco ASR 920-4SZ-A
Cisco ASR 920-4SZ-D
Cisco Catalyst C9300-24P
Cisco Catalyst C9300-24T
Cisco Catalyst C9300-24U
Cisco Catalyst 9300-24UX
Cisco Catalyst C9300-48p
Cisco Catalyst C9300-48T
Cisco Catalyst C9300-48U
Cisco Catalyst C9300-48un
Cisco Catalyst C9300-48UXM
Cisco Catalyst 9600 Supervisor Engine-1
Cisco cBR-CCAP-LC-40G-R
Cisco CBR-LC-8D31-16U31
Cisco IOS XRv 9000	=7.0.1
Cisco a99-16x100ge-x-se
Cisco a99-32x100ge-cm
Cisco A99-32X100GE-TR
Cisco a99-rp3-se firmware
Cisco a99-rp3-tr firmware
Cisco Nexus 9000 Series Switches
Cisco ASR 9000 Series
Cisco A9K-RSP5-SE Firmware
Cisco ASR 9000 Series Route Processor 5 (RSP5)
Cisco Network Convergence System 1002
Cisco IOS XE Web UI	<15.5\(1\)sy4
Cisco Catalyst 6800 Series
Cisco Catalyst 6800
Cisco Catalyst 6800 8-Port 10-Gigabit XL
Cisco Catalyst 6800 Series Switches
Cisco Catalyst 6800 Series Supervisor Engine 6T
Cisco Catalyst C6816-X-LE
Cisco Catalyst C6824-X-LE-40G
Cisco Catalyst C6832-X-LE
Cisco Catalyst 6840-x-le-40g
Cisco IOS XE Web UI	<16.9.4
Cisco IOS XE Web UI	>=16.10<16.12.1
Cisco Catalyst C9500-12Q
Cisco Catalyst C9500-16x
Cisco Catalyst 9500 Series Switches
Cisco Catalyst C9500-24Y4C
Cisco Catalyst C9500-32C
Cisco Catalyst C9500-32qc
Cisco Catalyst C9500-40x
Cisco Catalyst C9500-48Y4C
Cisco Catalyst 9800 Embedded Wireless Controller Firmware
Cisco Catalyst 9800-40 Wireless Controller
Cisco Catalyst 9800 Embedded Wireless Controller Firmware
Cisco Catalyst 9800-80 Wireless Controller Firmware
Cisco IC3000	<1.0.2
Cisco IC3000
Cisco NX-OS	<8.4.1
Cisco DS-X9334-K9
Cisco NCS2K-MR-MXP-K9	<11.1
Cisco NCS2K-MR-MXP-K9
Cisco IOS XRv 9000	=7.1.1
Cisco nc55-24h12f-se
Cisco NCS 55 Series
Cisco NCS 55A1-36H-SE
Cisco NCS 5504
Cisco NCS 5516
Cisco NCS 55
Cisco NCS 55 Series
Cisco NCS 5501-SE
Cisco NCS 5501-SE
Cisco NCS 5502
Cisco NCS 5502-SE
Cisco NCS 55A1
Cisco NCS 55A1
Cisco ncs-55a1-36h-se-s firmware
Cisco NCS-55A2-MOD-HD-S
Cisco NCS 55A2 MOD HX-S Firmware
Cisco NCS 55A2 Mod S
Cisco NCS-55A2-MOD-SE-H-S Firmware
Cisco NCS 55A2 MOD SE-S Firmware
Cisco Network Convergence System 5001
Cisco Network Convergence System 5002
Cisco NX-OS	<9.3\(2\)
Cisco Nexus 31108PC-V
Cisco Nexus 31108TC-V
Cisco Nexus 3132C-Z
Cisco Nexus 3264C-E
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series N9K-C93108TC-EX
Cisco Nexus 9000 Series Switch
Cisco Nexus 9000 Series Switch - C93180LC-EX
Cisco Nexus 93180YC-EX
Cisco Nexus 93360YC-FX2
Cisco Nexus 93240YC-FX2
Cisco Nexus 9000 Series Switch n9k-c9348gc-fxp
Cisco DS-X9648-1536K9
Cisco Nexus 7000 Series N77-M312CQ-26L
Cisco Nexus 7000 Series Switch (N77-M348XP-23L)
Cisco Nexus 7000 Series Switches
Cisco Nexus 7000 Series n7k-m324fq-25l
Cisco Nexus 7000 Series N7K-M348XP-25L
Cisco SM-X-1T3/E3 Firmware
Cisco SM-X-1T3/E3
Cisco 5100 Enterprise Network Compute System firmware
Cisco ENCS 5100
Cisco 5400 Enterprise Network Compute System firmware
Cisco ENCS 5400 Firmware

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2019-1649?
The severity of CVE-2019-1649 is rated as high due to the potential for an authenticated, local attacker to modify firmware.
How do I fix CVE-2019-1649?
To fix CVE-2019-1649, upgrade your Cisco Secure Boot implementation to the recommended version as provided in Cisco's advisory.
Which Cisco devices are affected by CVE-2019-1649?
CVE-2019-1649 affects multiple Cisco hardware, primarily within the Cisco ASA and Firepower series firmware.
Is CVE-2019-1649 a remote or local vulnerability?
CVE-2019-1649 is a local vulnerability that requires authentication to exploit.
What is the impact of exploiting CVE-2019-1649?
Exploiting CVE-2019-1649 can allow an attacker to write modified firmware images, potentially compromising the device's integrity.