Cisco fixes two bugs that could have led to supply chain attacks on users

Two vulnerabilities uncovered in Cisco hardware could have opened the door to serious supply chain cyber attacks, according to the Trellix researchers who found them

Alex Scroxton

By

Published: 01 Feb 2023 16:00

Cisco has moved to fix two vulnerabilities – one live and one in yet-to-be-released code – that affect a wide range of enterprise and industrial network hardware products and left unchecked could allow attackers to gain persistent root access to the underlying system.

Uncovered by Trellix vulnerability researchers Sam Quinn and Kasimir Schulz, the two vulnerabilities were found in the Cisco ISR 4431 router. However, they also affect all 800 Series Industrial ISR industrial routers, CGR1000 Compute Modules for enterprise cloud services, IC3000 Industrial Compute Gateways, IOS XE-based devices configured with IOx, IR510 WPAN Industrial Routers, and Cisco Catalyst access points.

The first and more immediately dangerous issue has been assigned CVE-2023-20076. It is a remote command injection vulnerability in the application hosting component that lets admins deploy application containers or virtual machines to the device. It arises from improper sanitisation of the DHCP Client ID option within interface settings, giving an attacker the ability to inject an operating system command of their choosing.

The attack path additionally bypasses mitigations Cisco has in place to stop vulnerabilities persisting in a system across reboots and firmware upgrades, so if successfully exploited, a malicious package could keep running until the device is factory reset or it is found and manually deleted.

The second issue has not been assigned a CVE designation, but is for now being tracked using Cisco bug ID CSCwc67015. It is an arbitrary file write vulnerability that could enable an attacker to execute code on the affected devices. It arises in the application hosting environment via a feature that enables users to upload and run applications in virtual containers – when reverse engineering this environment, the researchers found a maliciously packed application could bypass a vital security check while simultaneously uncompressing the uploaded application.

The bypassed security check was designed to secure the system against CVE-2007-4559 – a very old vulnerability in Python’s tarfile module that has been the subject of much work by Trellix’s teams before and had not been fixed here. The team investigated further and found that while the code could be reached from the application, the device couldn’t be exploited because it was missing a needed module. Quinn and Schulz reported it just the same because other devices could have been affected, and ultimately it was found exploitable in code set to be deployed by Cisco in the future. Thanks to the disclosure, this code will eventually go live with a fix.

Users should note that both issues require an attacker to have authenticated and obtained admin privileges, so while the potential severity of the vulnerabilities is a little more limited, it is not difficult for determined attackers to gain admin credentials if, for example, the default login credentials have never been changed, via a fairly basic phishing attack or through social engineering. Indeed, said Quinn and Schulz, such bugs are often leveraged by nation-state-backed advanced persistent threat (APT) groups.

In their write-up, Quinn and Schulz described how such vulnerabilities in modern routers were becoming of greater potential impact. “Unlike those of the past, modern routers now function like high-powered servers with many ethernet ports running not only routing software but, in some cases, even multiple containers,” they said. “The complexity of these systems expands the already ripe attack surface for threat actors. If an attacker could access one of these devices and get complete control, they would have a foothold in a network and a powerful ‘server’ within their control.”

Dangerous supply chain attacks

The researchers also highlighted how vulnerable edge networking devices are to supply chain attacks. “With the complexities of enterprise networking, many businesses outsource the configuration and network design to third-party installers,” they explained.

“A bad actor could use CVE-2023-20076 to maliciously tamper with one of the affected Cisco devices anywhere along this supply chain. The level of access that CVE-2023-20076 provides could allow for backdoors to be installed and hidden, making the tampering entirely transparent for the user.

“Consumers of these edge devices need to closely monitor their supply chain and ensure that any third-party resellers, partners, or managed service providers have transparent security protocols.”

Although there is no sign that this has happened, such issues can also be magnified over time as more devices make their way to market with the vulnerability in place, and more users introduce them to their networks, leading to a Log4Shell-like situation where thousands, even millions, of organisations are unaware they are at risk.

Left unpatched, such vulnerabilities can also migrate into new environments as edge network hardware is moved around, introduced to different parts of the enterprise network, or refurbished and resold to new owners through the channel, giving threat actors access to new victims.

“Organisations with affected devices should update to the latest firmware immediately. It’s also important to check if there are any abnormal containers installed or running in your environment, and if you aren’t using containers, disable the IOx (container framework),” wrote Quinn and Schulz.

“Cisco was a model partner in this research and disclosure process. Collaboration is key across vendors and researchers, to minimise our global attack surface and remain resilient from cyber threats. We want to thank them for their transparency and speed in addressing these vulnerabilities,” they said.

Read more on Network security management

Read More
Christeen Culton

Latest

Will Spain keep finding a way? Re-ranking the World Cup teams with six games remaining – The Athletic – The New York Times

Forty-eight teams started these World Cup finals a month ago — now only six remain. Tomorrow that will be whittled down to a final four. Morocco became the first quarter-finalists to be knocked out, losing 2-0 to the seemingly unstoppable France on Thursday, before brave Belgium finally succumbed to Spain in Los Angeles on Friday

Erling Haaland is Norway’s World Cup machine — and the internet’s ‘babygirl’ – AP News

Erling Haaland stands at 6 feet, 5 inches, an intimidating force who can make fellow soccer players look tiny in stature and talent. Scoring seven goals across four World Cup matches entering Saturday, the Norwegian player has been described as a machine. But if you ask some loyal new fans, he’s also a babygirl and

Woody Marks and 5 fantasy football sleepers trending toward a much bigger role

One way to get an edge in fantasy football? By keeping a close eye on offseason chatter. Which players are impressing reporters in OTAs? Which roster battles could go a different way than the average fan expects? Which rookie is going to end up rocketing up draft boards by August? These five players are fairly

Matt Miller Announces Indefinite Leave From ESPN Amid Investigation Over Alleged Fantasy Football Fraud

On June 23, ESPN NFL Draft analyst Matt Miller revealed that he was in a car crash and was brutally injured. The accident nearly caused him to lose his life, as his arm had to be amputated to keep him alive. Now that he is making his way back after a drastic change, Miller announced

Newsletter

Don't miss

Will Spain keep finding a way? Re-ranking the World Cup teams with six games remaining – The Athletic – The New York Times

Forty-eight teams started these World Cup finals a month ago — now only six remain. Tomorrow that will be whittled down to a final four. Morocco became the first quarter-finalists to be knocked out, losing 2-0 to the seemingly unstoppable France on Thursday, before brave Belgium finally succumbed to Spain in Los Angeles on Friday

Erling Haaland is Norway’s World Cup machine — and the internet’s ‘babygirl’ – AP News

Erling Haaland stands at 6 feet, 5 inches, an intimidating force who can make fellow soccer players look tiny in stature and talent. Scoring seven goals across four World Cup matches entering Saturday, the Norwegian player has been described as a machine. But if you ask some loyal new fans, he’s also a babygirl and

Woody Marks and 5 fantasy football sleepers trending toward a much bigger role

One way to get an edge in fantasy football? By keeping a close eye on offseason chatter. Which players are impressing reporters in OTAs? Which roster battles could go a different way than the average fan expects? Which rookie is going to end up rocketing up draft boards by August? These five players are fairly

Matt Miller Announces Indefinite Leave From ESPN Amid Investigation Over Alleged Fantasy Football Fraud

On June 23, ESPN NFL Draft analyst Matt Miller revealed that he was in a car crash and was brutally injured. The accident nearly caused him to lose his life, as his arm had to be amputated to keep him alive. Now that he is making his way back after a drastic change, Miller announced

Garrett Nussmeier’s QB Brother Receives Upsetting News on Football Career

Colton Nussmeier has run out of options to fix his eligibility for 2026. On July 9, the UIL State Executive Committee voted 4–1 to reject his appeal, a decision first shared by 247Sports’ Mike Roach. With that, his plan to play his senior season at Denton Ryan is over. The door at his old school

Breitbart Business Digest: Stacking Those $250 Trump Bills

Weekly Wrap: Making It Rain with Trump Bills Welcome back to Friday! This is the Breitbart Business Digest weekly wrap, our septidialogic sweep through the economic and financial news. This week the economy failed to get indigestion from the high price of gas, Treasury Secretary Scott Bessent told us about getting fed at the Fed, Trump

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity