Trellix researchers, in a report published on February 1st reveals the bug, one of two flaws discovered, impacts the following Cisco networking devices:
- Cisco ISR 4431 routers
- 800 Series Industrial ISRs
- CGR1000 Compute Modules
- IC3000 Industrial Compute Gateways
- IOS XE-based devices configured with IOx
- IR510 WPAN Industrial Routers
- Cisco Catalyst Access points
One bug — CSCwc67015 — was discovered in code which is not yet released. Apparently, it has the capability to allow hackers to execute their own code, and possibly replace the majority of the files on the device.
The second bug (allegedly more malicious) — CVE-2023-20076 — found in production equipment, is a command-injection vulnerability which could enable unauthorized access and remote code execution (RCE). Despite Cisco's barriers against such a situation, this would have required not only complete control of a device's operating system but also persistence through any upgrades or reboots.
According to Trellix, since Cisco networking equipment is being operated around the globe in data centers, enterprises, and government organizations, including its most common footprints at industrial facilities, this makes the impact of the vulnerabilities more significant.
“In the world of routers, switches, and networking, Cisco is the current king of the market[…]We would say that thousands of businesses could potentially be impacted,” says Sam Quinn, senior security researcher with the Trellix Advanced Research Center.
The Latest Cisco Security Flaws
According to Trellix, the two flaws are a result of a shift in how routing technology work. On these miniature-server-routers, network administrators may now install application containers or even entire virtual systems. Along with great functionality, this increased complexity will also lead to a broader attack surface.
"Modern routers now function like high-powered servers[…]with many Ethernet ports running not only routing software but, in some cases, even multiple containers," the authors of the report explained.
Both CSCwc67015 and CVE-2023-20076 roots from the router's advanced application hosting environment.
In terms of CSCwc67015, "a maliciously packed programme could bypass a vital security check while uncompressing the uploaded application" in the hosting environment. The study aimed to safeguard the system from CVE-2007-4559, a 15-year-old path traversal vulnerability in a Python module that Trellix itself had discovered in September.
The flaw CVE-2023-20076, however, also makes use of the Cisco routers' support for virtual machines and application containers. In this particular case, it has to do with how admins pass commands to start their applications.
The researchers identified that the 'DHCP Client ID' option inside the Interface Settings was not properly being sanitized, granting them root-level access to the device and enabling them to "inject any OS command of our choosing."
Adding to this, the authors of the report highlight how "Cisco heavily prioritizes security in a way that attempts to prevent an attack from remaining a problem through reboots and system resets."
However, they showed in a proof-of-concept video how the command-injection problem might be exploited to gain total access, enabling a malicious container to withstand device reboots or firmware updates. There are now only two options for removal: doing a complete factory reset or manually identifying and eradicating the malicious code.
Furthermore, in a concluding remark, the Trellix researchers have advised organizations to watch out for any suspicious containers installed on relevant Cisco devices, and recommended that companies that do not operate containers to disactivate the IOx container framework completely.
They highlighted that "organizations with impacted devices should update to the newest firmware immediately" as being the most crucial step to follow.
Moreover, users are advised to apply the patch as soon as possible, in order to protect themselves from the vulnerabilities.