Cisco has released patches for a high-severity vulnerability (CVE-2023-20076) found in some of its industrial routers, gateways and enterprise wireless access points, which may allow attackers to insert malicious code that can’t be deleted by simply rebooting the device or updating its firmware.
“In this case, the command injection bypasses mitigations Cisco has in place to ensure vulnerabilities do not persist in a system. Side-stepping this security measure means that if an attacker exploits this vulnerability, the malicious package will keep running until the device is factory reset or until it is manually deleted,” according to Trellix vulnerability researchers Sam Quinn and Kasimir Schulz.
Though attackers must first gain authenticated administrative access to a vulnerable device to exploit it, successful phishing attacks, default login credentials and privilege escalation bugs are not as rare occurances as one would wish and can clear the path for CVE-2023-20076 exploitation.
CVE-2023-20076 was discovered by the researchers in a Cisco ISR 4431 router – more specifically, in the Cisco IOx application hosting environment, which allows administrators to deploy application containers or virtual machines directly on Cisco devices.
“This vulnerability is due to incomplete sanitization of parameters that are passed in for activation of an application. An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file. A successful exploit could allow the attacker to execute arbitrary commands as root on the underlying host operating system,” Cisco explains.
The vulnerability has also been confirmed to affect other Cisco solutions:
- 800 Series Industrial ISRs (industrial routers)
- IC3000 Industrial Compute Gateways (for real-time data processing, analytics, and automation for industrial environments)
- IOS XE-based devices configured with IOx (i.e., routers capable of running third-party apps inside of a containerized environment
- Cisco Catalyst Access points (wireless access point for enterprise environments with a high number of connected devices)
- IR510 WPAN Industrial Routers (wireless routers smart factories and smart grids)
- CGR1000 Compute Modules (for enterprise cloud services)
There are no workarounds available. Patches / security updates for all but the last two listed devices have been provided, and Cisco will deliver the rest sometime this month.
“Customers who do not want to use the Cisco IOx application hosting environment can disable IOx permanently on the device using the no iox configuration command,” the company noted, after confirming that the vulnerability is present only if the Cisco IOx feature is enabled.
The fact that CVE-2023-20076 may allow attackers to trigger malicious commands is a problem, but an arguably bigger one is that it bypasses mitigations implemented by Cisco to ensure vulnerabilities do not persist in a system, the researchers noted.
“With the complexities of enterprise networking, many businesses outsource the configuration and network design to third-party installers. A bad actor could use CVE-2023-20076 to maliciously tamper with one of the affected Cisco devices anywhere along this supply chain. The level of access that CVE-2023-20076 provides could allow for backdoors to be installed and hidden, making the tampering entirely transparent for the end user,” they explained, and advised consumers of edge devices “to closely monitor their supply chain and ensure that any third-party resellers, partners, or managed service providers have transparent security protocols.”