Cisco has recently identified [1, 2] multiple security vulnerabilities affecting several of its products, including Cisco Evolved Programmable Network Manager (EPNM), Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure. These vulnerabilities could allow authenticated attackers to escape the restricted shell and gain root privileges on the underlying operating system.
- CVE-2023-20122: Cisco ISE Command Injection Vulnerability (CVSS score of 7.8)
A vulnerability found in the restricted shell of Cisco ISE could enable an authenticated, local attacker to escape the restricted shell and obtain root privileges on the underlying OS. The issue arises from improper validation of parameters sent to a specific CLI command within the restricted shell.
Attackers could exploit this vulnerability by logging into a device and issuing a specially crafted CLI command. Successful exploitation requires the attacker to be an authenticated shell user, which can be either an administrative or a read-only role account.
Cisco has released software updates addressing this vulnerability, with no available workarounds.
- CVE-2023-20121: Command Injection Vulnerability in Cisco EPNM, Cisco ISE, and Cisco Prime Infrastructure (CVSS score of 6.0)
This vulnerability, also due to improper validation of parameters sent to a specific CLI command within the restricted shell, affects Cisco EPNM, Cisco ISE, and Cisco Prime Infrastructure. An authenticated, local attacker can exploit this vulnerability by logging into the device and issuing a certain crafted CLI command, escaping the restricted shell, and gaining root privileges on the underlying OS.
It is important to note that exploiting this vulnerability in Cisco EPNM and Cisco Prime Infrastructure through a user role will not grant root privileges, which can only be obtained when exploited by an admin role. Cisco ISE can only be exploited through an admin role.
Cisco has released software updates to address this vulnerability, and no workarounds are available.
- CVE-2023-20102: Cisco Secure Network Analytics Remote Code Execution Vulnerability (CVSS score of 8.8)
A vulnerability in the web-based management interface of Cisco Secure Network Analytics could allow an authenticated, remote attacker to execute arbitrary code on the underlying OS. This issue stems from insufficient sanitization of user-provided data that is parsed into system memory.
Attackers can exploit this vulnerability by sending a crafted HTTP request to an affected device, potentially allowing them to execute arbitrary code on the underlying OS as the administrator user.
Cisco has released software updates to address this vulnerability, with no available workarounds. The Cisco PSIRT is not aware of any public announcements or malicious use of the CVE-2023-20102 vulnerability.
