CVE-2023-20076: Cisco IOx application hosting environment command injection flaw
Cisco announced patches for a high-severity command injection vulnerability in the Cisco IOx application hosting environment.
The move to virtual environments has given rise to the need to build applications that are reusable, portable, and scalable. Application hosting gives administrators a platform for leveraging their own tools and utilities. An application, hosted on a network device, can serve a variety of purposes. This ranges from automation, configuration management monitoring, and integration with existing tool chains.
Tracked as CVE-2023-20076 (CVSS score of 7.2), the vulnerability exists because of incomplete sanitization of parameters passed in for activation of an application. By using a specially-crafted activation payload file, an attacker could exploit this vulnerability to execute arbitrary commands as root on the underlying host operating system.
“An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file. A successful exploit could allow the attacker to execute arbitrary commands as root on the underlying host operating system,” Cisco explains in an advisory.
The tech giant has been credited to Sam Quinn, senior security researcher, and Kasimir Schulz, security researcher, of the Trellix Advanced Research Center for reporting this vulnerability.
“CVE-2023-20076 gains unrestricted access, allowing malicious code to lurk in the system and persist across reboots and firmware upgrades. Side-stepping this security measure means that if an attacker exploits this vulnerability, the malicious package will keep running until the device is factory reset or until it is manually deleted,” Trellix explains.
This flaw affects Cisco devices that are running Cisco IOS XE Software if they have the Cisco IOx feature enabled and they do not support native docker. The vulnerability has also been confirmed to affect other Cisco solutions:
- 800 Series Industrial ISRs
- CGR1000 Compute Modules
- IC3000 Industrial Compute Gateways (releases 1.2.1 and later run native docker)
- IR510 WPAN Industrial Routers
Cisco has released security updates for the impacted solutions and advised customers to update their Cisco products as soon as possible.
Cisco says it is not aware of any of these vulnerabilities being exploited in the wild. Further information on the flaws can be found on Cisco’s product security page.
