Security
Headlines
HeadlinesLatestCVEs

Headline

Command-Injection Bug in Cisco Industrial Gear Opens Devices to Complete Takeover

Two security holes — one particularly gnarly — could allow hackers the freedom to do as they wish with the popular edge equipment.

DARKReading
#vulnerability#ios#mac#cisco#backdoor#rce#auth

A security vulnerability has been found in Cisco gear used in data centers, large enterprises, industrial factories, power plants, manufacturing centers, and smart city power grids that could allow cyberattackers unfettered access to these devices and broader networks.

In a report published on Feb. 1, researchers from Trellix revealed the bug, one of two vulnerabilities discovered that affect the following Cisco networking devices:

  • Cisco ISR 4431 routers
  • 800 Series Industrial ISRs
  • CGR1000 Compute Modules
  • IC3000 Industrial Compute Gateways
  • IOS XE-based devices configured with IOx
  • IR510 WPAN Industrial Routers
  • Cisco Catalyst Access points

One bug — CSCwc67015 — was spotted in yet-to-be-released code. It could have allowed hackers to remotely execute their own code, and potentially overwrite most of the files on the device.

The second, arguably nastier, bug — CVE-2023-20076 — found in production equipment, is a command-injection flaw that could open the door to unauthorized root-level access and remote code execution (RCE). This would have entailed not just total control over a device’s operating system but also persistence through any upgrades or reboots, despite Cisco’s guardrails against such a scenario.

Given that Cisco networking equipment is used worldwide in data centers, enterprises, and government organizations, and it’s the most common footprint at industrial sites, the impact of the flaws could be notable, according to Trellix.

“In the world of routers, switches, and networking, Cisco is the current king of the market," Sam Quinn, senior security researcher with the Trellix Advanced Research Center, tells Dark Reading. "We would say that thousands of businesses could potentially be impacted.”

Inside the Latest Cisco Security Bugs

The two vulnerabilities are a byproduct of a shift in the nature of routing technologies, according to Trellix. Network administrators today have the ability to deploy application containers or even entire virtual machines on these miniature-server-routers. With this greater complexity comes both greater functionality, and a wider attack surface.

“Modern routers now function like high-powered servers,” the authors of the report explained, “with many Ethernet ports running not only routing software but, in some cases, even multiple containers.”

Both CSCwc67015 and CVE-2023-20076 arise from the router’s advanced application hosting environment.

CSCwc67015 reflects how, in the hosting environment, “a maliciously packed application could bypass a vital security check while uncompressing the uploaded application.” The check attempted to secure the system against a 15-year-old path traversal vulnerability in a Python module that Trellix itself had identified last September, CVE-2007-4559. With a “moderate” CVSS v3 score of 5.5, it allowed malicious actors to overwrite arbitrary files.

Meanwhile, the bug tracked as CVE-2023-20076 similarly takes advantage of the ability to deploy application containers and virtual machines to Cisco routers. In this case, it has to do with how admins pass commands to run their applications.

“The ‘DHCP Client ID’ option within the Interface Settings was not correctly being sanitized,” the researchers discovered, which allowed them root-level access to the device, connoting “the ability to inject any OS command of our choosing.”

A hacker who abused this power “could have a significant impact on the device’s functionality and the overall security of the network,” Quinn explains, including “modifying or disabling security features, exfiltrating data, disrupting network traffic, spreading malware, and running rogue processes.”

The bad news doesn’t end there, though. The authors of the report highlighted how “Cisco heavily prioritizes security in a way that attempts to prevent an attack from remaining a problem through reboots and system resets.” However, in a proof-of-concept video, they demonstrated how exploitation of the command-injection bug could lead to completely unfettered access, allowing a malicious container to persist through device reboots or firmware upgrades. This leaves only two possible solutions for removal: a full-on factory reset or manually identifying and removing the malicious code.

Cisco Industrial Gear: Potential Supply Chain Risk

If there’s a silver lining to these bugs, it’s that exploiting either would require admin-level access over a relevant Cisco device. A hurdle, granted, but hackers obtain administrative privileges all the time from their victims, through regular social engineering and escalation. The researchers also noted how, often, users don’t bother to change the default username and password, leaving no protection whatsoever for this most sensitive account.

One must also consider the supply chain risk. The authors highlighted how many organizations purchase networking devices from third-party sellers, or use third-party service providers for their device configuration and network design. A malicious vendor could utilize a vulnerability like CVE-2023-20076 to do some very easy, subtle, and powerful tampering.

The sheer degree of access this hole provides “could allow for backdoors to be installed and hidden, making the tampering entirely transparent for the end user,” the authors explained. Of course, the overwhelming majority of third-party service providers are perfectly honest businesses. But those businesses may themselves be compromised, making it a moot point.

In concluding their report, the Trellix researchers urged organizations to check for any abnormal containers installed on relevant Cisco devices, and recommended that organizations that don’t run containers disable the IOx container framework entirely. Most important of all, they emphasized, was that “organizations with affected devices should update to the latest firmware immediately.”

To protect themselves, users should apply the patch as soon as possible.

Related news

Red Hat Security Advisory 2024-0374-03

Red Hat Security Advisory 2024-0374-03 - An update for python-pip is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a traversal vulnerability.

Red Hat Security Advisory 2023-7176-01

Red Hat Security Advisory 2023-7176-01 - An update for python-pip is now available for Red Hat Enterprise Linux 8. Issues addressed include a traversal vulnerability.

Red Hat Security Advisory 2023-7151-01

Red Hat Security Advisory 2023-7151-01 - An update for python3 is now available for Red Hat Enterprise Linux 8. Issues addressed include a traversal vulnerability.

Gentoo Linux Security Advisory 202309-06

Gentoo Linux Security Advisory 202309-6 - Multiple vulnerabilities have been discovered in Samba, the worst of which could result in root remote code execution. Versions greater than or equal to 4.18.4 are affected.

CVE-2023-20076: Cisco Security Advisory: Cisco IOx Application Hosting Environment Command Injection Vulnerability

A vulnerability in the Cisco IOx application hosting environment could allow an authenticated, remote attacker to execute arbitrary commands as root on the underlying host operating system. This vulnerability is due to incomplete sanitization of parameters that are passed in for activation of an application. An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file. A successful exploit could allow the attacker to execute arbitrary commands as root on the underlying host operating system.

New High-Severity Vulnerabilities Discovered in Cisco IOx and F5 BIG-IP Products

F5 has warned of a high-severity flaw impacting BIG-IP appliances that could lead to denial-of-service (DoS) or arbitrary code execution. The issue is rooted in the iControl Simple Object Access Protocol (SOAP) interface and affects the following versions of BIG-IP - 13.1.5 14.1.4.6 - 14.1.5 15.1.5.1 - 15.1.8 16.1.2.2 - 16.1.3, and 17.0.0 "A format string vulnerability exists in iControl SOAP

15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects

As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years. The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, IT management. The shortcoming,

15-Year-Old Python Flaw Slithers into Software Worldwide

An unpatched flaw in more than 350,000 unique open source repositories leaves software applications vulnerable to exploit. The path traversal-related vulnerability is tracked as CVE-2007-4559.

CVE-2007-4559: [Python-Dev] tarfile and directory traversal vulnerability

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel