Cisco patches command injection vulnerability.

Researchers at Trellix discovered two vulnerabilities in Cisco appliances, one of which could be used to gain persistent root access to the affected system.

Command injection flaw impacts multiple devices.

The more serious of the two vulnerabilities is CVE-2023-20076, a remote command injection flaw. The researchers first discovered this flaw in a Cisco ISR 4431 router, then found that it also affected “wide range of other Cisco devices”:

“This vulnerability was discovered in the application hosting component and allows administrators to deploy application containers or virtual machines directly on the Cisco device. The commands used to orchestrate the virtualized applications are run on the base system and are somewhat transparent to the end user. For attackers and researchers alike, the way commands pass to the underlying system is a prime target to explore. Through reverse engineering and in-depth static analysis, our team identified that the "DHCP Client ID" option within the Interface Settings was not correctly being sanitized, allowing the ability to inject any OS command of our choosing.”

In addition to Cisco ISR 4431 routers, the vulnerability also impacts the following devices:

• “800 Series Industrial ISRs: Routers designed for industrial environments, such as powerplants, factories, and other harsh environments
• “CGR1000 Compute Modules: Compute modules for enterprise cloud services primarily aimed to run VPNs, firewalls, and WAN optimizations
• “IC3000 Industrial Compute Gateways: The compute gateway line of products provides real-time data processing, analytics, and automation for industrial environments
• “IOS XE-based devices configured with IOx: Routers for third-party applications to run inside of a containerized environment directly on the router itself
• “IR510 WPAN Industrial Routers: A Wireless Personal Area Network (WPAN) router for smart factories and smart grids where wireless is required
• “Cisco Catalyst Access points (COS-APs): Another wireless access point primarily focused on enterprise environments with a high number of connected devices”

Cisco issues patches.

Cisco has released patches for the vulnerability, and customers are urged to apply them as soon as possible. Trellix notes that “Cisco was a model partner in this research and disclosure process.”