A command injection (CVE-2023-20076) and a path traversal (Cisco bug ID CSCwc67015) — in a Cisco ISR 4431 router impacts a wide range of other Cisco devices.
The Trellix Advanced Research Center has found two vulnerabilities in Cisco appliances. One of them could allow attackers to gain persistent root access to the underlying system. These vulnerabilities were disclosed per Trellix’s responsible disclosure process.
“Our team focuses on finding critical zero-day vulnerabilities in enterprise software and hardware to expose and reduce attack surfaces. To do this, we are always looking for new devices and software to investigate. During a team building exercise, the Trellix Advanced Research Center’s vulnerability research team found two vulnerabilities — a command injection (CVE-2023-20076) and a path traversal (Cisco bug ID CSCwc67015) — in a Cisco ISR 4431 router that impacts a wide range of other Cisco devices,” commented Doug McKee, Director – Vulnerability Research & Principal Engineer, Trellix Advanced Research Center.
CVE-2023-20076 allows an attacker to remotely inject code into a field on the Cisco web interface. Trellix was able to use the command injection to gain a persistent shell that survived device reboots. The vulnerability also allows root shell access which gives an attacker control over almost anything. With full control over everything that happens, an attacker can potentially hide all traces of what they have done or are doing.
The persistence of the vulnerability is significant in that Cisco designs its devices specifically to negate this capability. CSCwc67015 allows an attacker to overwrite most files on the operating system. Cisco’s IOx Local Manager allows users to upload and run applications in virtualized containers. Through reverse engineering the application hosting environment, the Trellix team discovered that a maliciously packed application could bypass a vital security check while uncompressing the uploaded application.
This vulnerability was given a Cisco Bug ID rather than a CVE since it is not currently exploitable in any devices since it is a future feature that was not yet enabled. The code was written and set to be deployed in the future. As such Trellix was able to prevent an impactful vulnerability before it was even released.
“It’s important to note that these vulnerabilities require the attacker to be authenticated and have admin privileges on the system. While this limits the potential severity, there are many ways for an attacker to gain credentials to systems. While bugs requiring authentication are often downplayed, we regularly see privilege escalation bugs leveraged by nation-states. An attacker can gain authenticated administrative access through default login credentials, phishing or social engineering,” added McKee.
Although the vulnerabilities were found in the Cisco ISR 4432 router, it is applicable to a host of Cisco devices including 800 Series Industrial ISRs, CGR1000 Compute Modules, IC3000 Industrial Compute Gateways and IOS XE-based devices configured with IOx. Also, IR510 WPAN Industrial Routers and Cisco Catalyst Access points (COS-APs).
Organizations with affected devices should update to the latest firmware immediately. It’s also important to check if there are any abnormal containers installed or running in your environment and if you aren’t using containers, disable the IOx (container framework). Cisco’s security advisory and patch information for these vulnerabilities can be found here.
“Cisco was a model partner in this research and disclosure process. Collaboration is key across vendors and researchers, to minimize our global attack surface and remain resilient from cyber threats. We want to thank them for their transparency and speed in addressing these vulnerabilities,” concluded McKee.