Cisco has confirmed that it has corrected a critical flaw that was affecting the IOx application hosting environment.
Cisco IOx is an application environment that enables consistent deployment of applications independent of network infrastructure and docker tools for development. It is used by a wide range of companies, from manufacturing to energy to the public sector.
The flaw, tracked as CVE-2023-20076, allowed threat actors to achieve persistence on the operating system, thus gaining the ability to execute commands remotely.
Who is affected?
“An attacker could exploit this vulnerability by deploying and activating an application in a Cisco IOx Application Hosting environment with the designed activation payload,” Cisco said. (Opens in a new tab) in his security consulting.
Users running IOS XE without native docker support are affected, as well as those using 800 Series Industrial ISR Routers, CGR1000 Compute Units, IC3000 Industrial Compute Gateways, IR510 WPAN Industrial Routers, and Cisco Catalyst Access Points (COS-APs) (Opens in a new tab).
The company added that Catalyst 9000 Series adapters, IOS XR and NX-OS software, and Meraki products were not affected by the bug.
The caveat with this vulnerability is that threat actors need to be already authenticated as an administrator on the compromised systems.
However, researchers from Trellix, who discovered the flaw for the first time, said that fraudsters could easily associate this vulnerability with others, in their malicious campaigns. Authentication can be obtained using default login credentials (many users never change them), as well as through phishing and social engineering.
After authentication, CVE-2023-20076 can be misused for “unfettered access, allowing malicious code to remain in the system and persist across reboots and firmware upgrades.”
The revision of this security measure means that if an attacker exploits this vulnerability, the malicious package will continue to run until the device is factory reset or until it is manually deleted.
The good news is that as of now there is no evidence of the bug being exploited in the wild but if you are using this solution, make sure you update it to the latest version.
Via: BleepingComputer (Opens in a new tab)
