Cisco fixes two bugs that could have led to supply chain attacks on users
Cisco has moved to fix two vulnerabilities – one live and one in yet-to-be-released code – that affect a wide range of enterprise and industrial network hardware products and left unchecked could allow attackers to gain persistent root access to the underlying system.
Uncovered by Trellix vulnerability researchers Sam Quinn and Kasimir Schulz, the two vulnerabilities were found in the Cisco ISR 4431 router. However, they also affect all 800 Series Industrial ISR industrial routers, CGR1000 Compute Modules for enterprise cloud services, IC3000 Industrial Compute Gateways, IOS XE-based devices configured with IOx, IR510 WPAN Industrial Routers, and Cisco Catalyst access points.
The first and more immediately dangerous issue has been assigned CVE-2023-20076. It is a remote command injection vulnerability in the application hosting component that lets admins deploy application containers or virtual machines to the device. It arises from improper sanitisation of the DHCP Client ID option within interface settings, giving an attacker the ability to inject an operating system command of their choosing.
The attack path additionally bypasses mitigations Cisco has in place to stop vulnerabilities persisting in a system across reboots and firmware upgrades, so if successfully exploited, a malicious package could keep running until the device is factory reset or it is found and manually deleted.
The second issue has not been assigned a CVE designation, but is for now being tracked using Cisco bug ID CSCwc67015. It is an arbitrary file write vulnerability that could enable an attacker to execute code on the affected devices. It arises in the application hosting environment via a feature that enables users to upload and run applications in virtual containers – when reverse engineering this environment, the researchers found a maliciously packed application could bypass a vital security check while simultaneously uncompressing the uploaded application.
The bypassed security check was designed to secure the system against CVE-2007-4559 – a very old vulnerability in Python’s tarfile module that has been the subject of much work by Trellix’s teams before and had not been fixed here. The team investigated further and found that while the code could be reached from the application, the device couldn’t be exploited because it was missing a needed module. Quinn and Schulz reported it just the same because other devices could have been affected, and ultimately it was found exploitable in code set to be deployed by Cisco in the future. Thanks to the disclosure, this code will eventually go live with a fix.
Users should note that both issues require an attacker to have authenticated and obtained admin privileges, so while the potential severity of the vulnerabilities is a little more limited, it is not difficult for determined attackers to gain admin credentials if, for example, the default login credentials have never been changed, via a fairly basic phishing attack or through social engineering. Indeed, said Quinn and Schulz, such bugs are often leveraged by nation-state-backed advanced persistent threat (APT) groups.
In their write-up, Quinn and Schulz described how such vulnerabilities in modern routers were becoming of greater potential impact. “Unlike those of the past, modern routers now function like high-powered servers with many ethernet ports running not only routing software but, in some cases, even multiple containers,” they said. “The complexity of these systems expands the already ripe attack surface for threat actors. If an attacker could access one of these devices and get complete control, they would have a foothold in a network and a powerful ‘server’ within their control.”
Dangerous supply chain attacks
The researchers also highlighted how vulnerable edge networking devices are to supply chain attacks. “With the complexities of enterprise networking, many businesses outsource the configuration and network design to third-party installers,” they explained.
“A bad actor could use CVE-2023-20076 to maliciously tamper with one of the affected Cisco devices anywhere along this supply chain. The level of access that CVE-2023-20076 provides could allow for backdoors to be installed and hidden, making the tampering entirely transparent for the user.
“Consumers of these edge devices need to closely monitor their supply chain and ensure that any third-party resellers, partners, or managed service providers have transparent security protocols.”
Although there is no sign that this has happened, such issues can also be magnified over time as more devices make their way to market with the vulnerability in place, and more users introduce them to their networks, leading to a Log4Shell-like situation where thousands, even millions, of organisations are unaware they are at risk.
Left unpatched, such vulnerabilities can also migrate into new environments as edge network hardware is moved around, introduced to different parts of the enterprise network, or refurbished and resold to new owners through the channel, giving threat actors access to new victims.
“Organisations with affected devices should update to the latest firmware immediately. It’s also important to check if there are any abnormal containers installed or running in your environment, and if you aren’t using containers, disable the IOx (container framework),” wrote Quinn and Schulz.
“Cisco was a model partner in this research and disclosure process. Collaboration is key across vendors and researchers, to minimise our global attack surface and remain resilient from cyber threats. We want to thank them for their transparency and speed in addressing these vulnerabilities,” they said.