Overview

Two new security vulnerabilities were discovered in Cisco products that are used throughout many organizations. Examples of these organization types include industrial factories, large enterprises, manufacturing centers, power grids, and data centers. These vulnerabilities grant attackers access to devices and the wide-ranging network. Devices that are affected include:

  •  800 Series Industrial ISRs
  • CGR1000 Compute Modules
  • IC3000 Industrial Compute Gateways
  • IOS XE-based devices configured with IOx
  • IR510 WPAN Industrial Routers
  • Cisco Catalyst Access points (COS-APs)

 

The first of the two is not identified as a CVE yet but is tracked as Cisco bug ID CSCwc67015. It is an Arbitrary File Write vulnerability found in the application hosting environment. This bug has the potential to allow hackers to remotely execute their own code and overwrite the files on the device. It arises in the application’s environment through a feature that enables users to upload and then run the applications in virtual containers. However, when reverse engineering came into play, researchers found a maliciously packed application can detour through a security check and decompress through the uploaded application. The security check was in place to protect a previous vulnerability, CVE-2007-4559. Since attention was brought to Cisco, the code will go live with a fix.

The second vulnerability, CVE-2023-20076, is more dangerous as it is a remote command injection vulnerability found in the application hosting component. Essentially, it allows administrators to deploy application containers or virtual machines directly onto the Cisco device. This is the result of unsuitable sanitization of the DHCP Client ID option which gives the attacker the ability to inject an operation system command. As of now, there are no workarounds for this vulnerability. However, keep in mind, both issues require the attacker to have authenticated and obtained admin privileges, which limits the severity, but it is not uncommon for credentials to be stolen if not properly secured.

Sources

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-8whGn5dL – Cisco Website with Vulnerability CVE-2023-20076https://www.darkreading.com/ics-ot/command-injection-bug-cisco-industrial-gear-devices-complete-takeoverhttps://www.computerweekly.com/news/365530036/Cisco-fixes-two-bugs-that-could-have-led-to-supply-chain-attacks-on-usershttps://www.trellix.com/en-us/about/newsroom/stories/research/when-pwning-cisco-persistence-is-key-when-pwning-supply-chain-cisco-is-key.html