When Pwning Cisco, Persistence is Key - When Pwning Supply Chain, Cisco is Key

By Trellix · February 1, 2023
This story was also written by Kasimir Schulz and Sam Quinn.

Unlike those of the past, modern routers now function like high-powered servers with many ethernet ports running not only routing software but, in some cases, even multiple containers. The complexity of these systems expands the already ripe attack surface for threat actors. If an attacker could access one of these devices and get complete control, they would have a foothold in a network and a powerful “server” within their control.

Edge devices have also been at the forefront of the physical supply chain conversation. Often, complex networking devices, such as Cisco devices, are not bought directly from Cisco but from third-party sellers. These devices set up by a third party could allow for malicious modifications before the end user receives their device. These potential high-impact outcomes demand additional scrutiny by third-party researchers and security vendors. The Trellix Advanced Research Center found two vulnerabilities in Cisco appliances: one of which could allow attackers to gain persistent root access to the underlying system. These vulnerabilities were disclosed per Trellix’s responsible disclosure process.

Our team focuses on finding critical zero-day vulnerabilities in enterprise software and hardware to expose and reduce attack surfaces. To do this, we are always looking for new devices and software to investigate. This blog will give a high-level overview of the two vulnerabilities, a command injection (CVE-2023-20076) and a path traversal (Cisco bug ID CSCwc67015), that our vulnerability research team discovered in a Cisco ISR 4431 router and impacted a wide range of other Cisco devices.

The bugs

• CVE-2023-20076: Authenticated Remote Command Injection in a variety of Cisco devices
• CSCwc67015: Arbitrary File Write leading to Code Execution in a variety of Cisco devices

CVE-2023-20076

This vulnerability was discovered in the application hosting component and allows administrators to deploy application containers or virtual machines directly on the Cisco device. The commands used to orchestrate the virtualized applications are run on the base system and are somewhat transparent to the end user. For attackers and researchers alike, the way commands pass to the underlying system is a prime target to explore. Through reverse engineering and in-depth static analysis, our team identified that the “DHCP Client ID” option within the Interface Settings was not correctly being sanitized, allowing the ability to inject any OS command of our choosing.

Video 1 – Demonstration of exploit

Cisco heavily prioritizes security in a way that attempts to prevent an attack from remaining a problem through reboots and system resets. Still, in this case, the command injection bypasses mitigations Cisco has in place to ensure vulnerabilities do not persist in a system. CVE-2023-20076 gains unrestricted access, allowing malicious code to lurk in the system and persist across reboots and firmware upgrades. Side-stepping this security measure means that if an attacker exploits this vulnerability, the malicious package will keep running until the device is factory reset or until it is manually deleted. At this point, countless damages could have occurred.

CSCwc67015

Similarly to the vulnerability mentioned above, this issue was discovered in the application hosting environment. Cisco’s IOx Local Manager allows users to upload and run applications in virtualized containers. Through reverse engineering the application hosting environment in the location pointed out by researcher Richard Johnson, our team discovered that a maliciously packed application could bypass a vital security check while uncompressing the uploaded application.

Unbeknownst to the team at the time, this check attempted to secure the system against a vulnerability in Python’s tarfile module. Our team looked into what type of vulnerability this check was meant to prevent. This led to the discovery that CVE-2007-4559 had never been fixed and our team’s efforts to fix the vulnerability. After some trying and further reverse engineering, we were able to prove that the code could be reached from the web application but that our device could not be exploited since it was missing the lzma module. We reported the vulnerability to Cisco since other devices could be affected. Ultimately, this vulnerability was found in the code set to be deployed in the future. This research and collaboration with Cisco prevented an impactful vulnerability from being released.

Authenticated administrative access

It’s important to note the vulnerabilities discussed require the attacker to be authenticated and has admin privileges on the system. While this limits the potential severity, there are many ways for an attacker to gain credentials to systems. While bugs requiring authentication are often downplayed, we regularly see privilege escalation bugs leveraged by nation-states. An attacker can gain authenticated administrative access through:

• Default login credentials: Many Cisco appliances ship with the default username and password of “cisco:cisco” or “admin:admin” which many fail to change
• Phishing: The most used method for attackers to harvest credentials is tricking employees into logging into a fake router UI or spoofing an email from the router itself with a link to the login page “requesting to update the firmware.”
• Social engineering: Attackers also find success exploiting human weakness by social engineering someone to hand over credentials

Taking steps defined in industry best practices, such as changing default login credentials and providing training for employees on social engineering and phishing, can significantly reduce an organization’s susceptibility to these attacks.

Affected devices

These vulnerabilities affect more than the Cisco ISR 4431 router, and the devices listed below are also affected:

• 800 Series Industrial ISRs: Routers designed for industrial environments, such as powerplants, factories, and other harsh environments
• CGR1000 Compute Modules: Compute modules for enterprise cloud services primarily aimed to run VPNs, firewalls, and WAN optimizations
• IC3000 Industrial Compute Gateways: The compute gateway line of products provides real-time data processing, analytics, and automation for industrial environments
• IOS XE-based devices configured with IOx: Routers for third-party applications to run inside of a containerized environment directly on the router itself
• IR510 WPAN Industrial Routers: A Wireless Personal Area Network (WPAN) router for smart factories and smart grids where wireless is required
• Cisco Catalyst Access points (COS-APs): Another wireless access point primarily focused on enterprise environments with a high number of connected devices

Supply chain impact

Our research process at Trellix’s Advanced Research Center involves investigating the most significant vulnerabilities impacting our customers, and threats to the supply chain are often highly impactful. Therefore our vulnerability research team pays special attention to devices and software with a reach both inside the enterprise as well as into the broader supply chain.

With the complexities of enterprise networking, many businesses outsource the configuration and network design to third-party installers. A bad actor could use CVE-2023-20076 to maliciously tamper with one of the affected Cisco devices anywhere along this supply chain. The level of access that CVE-2023-20076 provides could allow for backdoors to be installed and hidden, making the tampering entirely transparent for the end user. Consumers of these edge devices need to closely monitor their supply chain and ensure that any third-party resellers, partners, or managed service providers have transparent security protocols.

A vulnerability that is left unpatched will often continue to manifest into new products – which over time, creates a more significant risk as numerous different devices can all be vulnerable to the same type of attack. This type of supply chain issue can lead to events similar to the events of Log4j, where a large number of companies across every industry are unaware they are vulnerable to an attack and exposed to threat actors. It’s also important to note that old datacenter and networking equipment will often be “repurposed” or even resold as newer, faster devices emerge. An infected router corrupting the data center might eventually be moved to another part of the business, giving the threat actor free access to more of the network or a new network entirely. To mitigate the risk, organizations can ensure employees receive cyber-security training on all layers of the technology stack to prevent reintroducing past attack surfaces and quickly remediate new ones.

Conclusion

Cisco was a model partner in this research and disclosure process. Collaboration is key across vendors and researchers, to minimize our global attack surface and remain resilient from cyber threats. We want to thank them for their transparency and speed in addressing these vulnerabilities.

Organizations with affected devices should update to the latest firmware immediately. It’s also important to check if there are any abnormal containers installed or running in your environment and if you aren’t using containers, disable the IOx (container framework). Cisco’s security advisory and patch information for these vulnerabilities can be found here.

_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _