Cisco has released security updates this week to address a high-severity vulnerability in the Cisco IOx application hosting environment that can be exploited in command injection attacks.
The security flaw (CVE-2023-20076) is due to the incomplete sanitization of parameters passed during the app activation process. It was found and reported by security researchers Sam Quinn and Kasimir Schulz with the Trellix Advanced Research Center.
Successful exploitation in low-complexity attacks that don’t require user interaction enables remote authenticated threat actors to execute commands with root permissions on the underlying operating system.
“An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file,” Cisco explains in a security advisory published on Wednesday.
The company says the vulnerability affects Cisco devices running IOS XE software, but only if they don’t support native docker.
Besides IOS XE-based devices configured with IOx, the list of impacted devices also includes 800 Series Industrial ISR routers, CGR1000 compute modules, IC3000 industrial compute gateways, IR510 WPAN industrial routers, and Cisco Catalyst access points (COS-APs).
The company also confirmed that the CVE-2023-20076 flaw doesn’t affect Catalyst 9000 Series switches, IOS XR and NX-OS software, or Meraki products.
What we found pt. 1 – CVE-2023-20076 (authenticated remote command Injection)
– Impacts wide variety of @Cisco Devices.
– Allows attacker to inject code into Cisco web interface field.
– Our Team used command injection to gain a persistent shell that survived device reboots.
— Trellix Advanced Research Center (@TrellixARC) February 1, 2023
Enables persistence across restarts
Attackers can only exploit this vulnerability if they have authenticated administrative access to the vulnerable systems.
However, the Trellix researchers explained that threat actors exploit other security flaws allowing privilege escalation, or can use various tactics to obtain admin credentials.
For instance, to gain admin access to the targeted devices, they can use:
- Default login credentials: Many Cisco appliances ship with the default username and password of “cisco:cisco” or “admin:admin” which many fail to change
- Phishing: The most used method for attackers to harvest credentials is tricking employees into logging into a fake router UI or spoofing an email from the router itself with a link to the login page “requesting to update the firmware.”
- Social engineering: Attackers also find success exploiting human weakness by social engineering someone to hand over credentials
Once this requirement is fulfilled, attackers can exploit CVE-2023-20076 for “unrestricted access, allowing malicious code to lurk in the system and persist across reboots and firmware upgrades,” as the researchers explained.
“Side-stepping this security measure means that if an attacker exploits this vulnerability, the malicious package will keep running until the device is factory reset or until it is manually deleted.”
This is possible because the command injection enables bypassing mitigations put in place by Cisco to prevent vulnerability persistence between system reboots or system resets.
Cisco’s Product Security Incident Response Team (PSIRT) says it found no evidence that this vulnerability is being exploited in the wild.
In January, Cisco warned customers of a critical authentication bypass vulnerability (CVE-2023-20025) with public exploit code affecting multiple models of end-of-life VPN routers.
One week later, Censys found over 20,000 RV016, RV042, RV042G, and RV082 Cisco routers unpatched against CVE-2023-20025 and exposed to attacks.