Command-injection bug in Cisco industrial gear opens devices to complete takeover
February 8, 2023
A security vulnerability has been found in Cisco gear used in data centers, large enterprises, industrial factories, power plants, manufacturing centers, and smart city power grids that could allow cyberattackers unfettered access to these devices and broader networks.
In a report published on Feb. 1, researchers from Trellix revealed the bug, one of two vulnerabilities discovered that affect the following Cisco networking devices:
Cisco ISR 4431 routers
800 Series Industrial ISRs
CGR1000 Compute Modules
IC3000 Industrial Compute Gateways
IOS XE-based devices configured with IOx
IR510 WPAN Industrial Routers
Cisco Catalyst Access points
One bug — CSCwc67015 — was spotted in yet-to-be-released code. It could have allowed hackers to remotely execute their own code, and potentially overwrite most of the files on the device.
The second, arguably nastier, bug — CVE-2023-20076 — found in production equipment, is a command-injection flaw that could open the door to unauthorized root-level access and remote code execution (RCE). This would have entailed not just total control over a device’s operating system but also persistence through any upgrades or reboots, despite Cisco’s guardrails against such a scenario.
Given that Cisco networking equipment is used worldwide in data centers, enterprises, and government organizations, and it’s the most common footprint at industrial sites, the impact of the flaws could be notable, according to Trellix.
“In the world of routers, switches, and networking, Cisco is the current king of the market,” Sam Quinn, senior security researcher with the Trellix Advanced Research Center, tells Dark Reading. “We would say that thousands of businesses could potentially be impacted.”
Inside the Latest Cisco Security Bugs
The two vulnerabilities are a byproduct of a shift in the nature of routing technologies, according to Trellix. Network administrators today have the ability to deploy application containers or even entire virtual machines on these miniature-server-routers. With this greater complexity comes both greater functionality, and a wider attack surface.
“Modern routers now function like high-powered servers,” the authors of the report explained, “with many Ethernet ports running not only routing software but, in some cases, even multiple containers.”
Both CSCwc67015 and CVE-2023-20076 arise from the router’s advanced application hosting environment.
To read the complete article, visit Dark Reading.