The Trellix Advanced Research Center found two vulnerabilities in Cisco appliances: one that could allow attackers to gain persistent root access to the underlying system. These vulnerabilities were disclosed per Trellix’s responsible disclosure process.
“Our team focuses on finding critical zero-day vulnerabilities in enterprise software and hardware to expose and reduce attack surfaces. To do this, we are always looking for new devices and software to investigate. During a team building exercise, the Trellix Advanced Research Center’s vulnerability research team found two vulnerabilities — a command injection (CVE-2023-20076) and a path traversal (Cisco bug ID CSCwc67015) — in a Cisco ISR 4431 router that impacts a wide range of other Cisco devices,” commented Doug McKee, Director of Vulnerability Research & Principal Engineer, Trellix Advanced Research Center.
CVE-2023-20076: Authenticated Remote Command Injection in wide variety of Cisco Devices
This vulnerability allows an attacker to remotely inject code into a field on the Cisco web interface. Trellix was able to use the command injection to gain a persistent shell that survived device reboots. The vulnerability also allows root shell access which gives an attacker control over almost anything. With full control over everything that happens, an attacker can potentially hide all traces of what they have done or are doing.
The persistence of the vulnerability is significant in that Cisco designs its devices specifically to negate this capability.
CSCwc67015: Arbitrary File Write leading to Code Execution
This vulnerability allows an attacker to overwrite most files on the operating system. Cisco’s IOx Local Manager allows users to upload and run applications in virtualized containers. Through reverse engineering the application hosting environment, the Trellix team discovered that a maliciously packed application could bypass a vital security check while uncompressing the uploaded application.
This vulnerability was given a Cisco Bug ID rather than a CVE since it is not currently exploitable in any devices since it is a future feature that was not yet enabled. The code was written and set to be deployed in the future. As such Trellix was able to prevent an impactful vulnerability before it was even released.
“It’s important to note that these vulnerabilities require the attacker to be authenticated and has admin privileges on the system. While this limits the potential severity, there are many ways for an attacker to gain credentials to systems. While bugs requiring authentication are often downplayed, we regularly see privilege escalation bugs leveraged by nation-states. An attacker can gain authenticated administrative access through default login credentials, phishing or social engineering,” added McKee.
Although the vulnerabilities were found in the Cisco ISR 4432 router, it is applicable to a host of Cisco devices including:
- 800 Series Industrial ISRs: Routers designed for industrial environments, such as powerplants, factories, and other harsh environments
- CGR1000 Compute Modules: Compute modules for enterprise cloud services primarily aimed to run VPNs, firewalls, and WAN optimizations
- IC3000 Industrial Compute Gateways: The compute gateway line of products provides real-time data processing, analytics, and automation for industrial environments
- IOS XE-based devices configured with IOx: Routers for third-party applications to run inside of a containerized environment directly on the router itself
- IR510 WPAN Industrial Routers: A Wireless Personal Area Network (WPAN) router for smart factories and smart grids where wireless is required
- Cisco Catalyst Access points (COS-APs): Another wireless access point primarily focused on enterprise environments with a high number of connected devices
Organizations with affected devices should update to the latest firmware immediately. It’s also important to check if there are any abnormal containers installed or running in your environment and if you aren’t using containers, disable the IOx (container framework). Cisco’s security advisory and patch information for these vulnerabilities can be found here. “Cisco was a model partner in this research and disclosure process. Collaboration is key across vendors and researchers, to minimize our global attack surface and remain resilient from cyber threats. We want to thank them for their transparency and speed in addressing these vulnerabilities,” concluded McKee.