Cisco released security updates this week to address a high-severity vulnerability in the Cisco IOx Application Hosting Environment that can be exploited in command injection attacks.

The security flaw (CVE-2023-20076) is due to the incomplete sanitization of the parameters transmitted during the application activation process. It was found and reported by security researchers Sam Quinn and Kasimir Schulz of the Trellix Advanced Research Center.

Successful exploitation in low complexity attacks that do not require user interaction allows remotely authenticated attackers to execute commands with root permissions on the underlying operating system.

“An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx Application Hosting Environment with a specially crafted activation payload file,” Cisco said. Explain in a security advisory released Wednesday.

The company says the vulnerability affects Cisco devices running IOS XE software, but only if they don’t support native docker.

In addition to IOS XE-based devices configured with IOx, the list of affected devices also includes Industrial ISR 800 Series Routers, CGR1000 Compute Modules, IC3000 Industrial Compute Gateways, IR510 Industrial WPAN Routers, and Data Points. Cisco Catalyst Access (COS-AP).

The company has also confirmed that the CVE-2023-20076 flaw does not affect Catalyst 9000 series switches, IOS XR and NX-OS software, or Meraki products.

What we found pt. 1 – CVE-2023-20076 (Authenticated Remote Command Injection)
– Impacts a wide variety of @Cisco Devices.
– Allows the attacker to inject code into the Cisco web interface field.
– Our team used command injection to achieve a persistent shell that survived device reboots.

— Trellix Advanced Research Center (@TrellixARC) February 1, 2023

Allows persistence across reboots

Attackers can only exploit this vulnerability if they have authenticated administrative access to the vulnerable systems.

However, Trellix researchers explained that threat actors exploit other security flaws that allow privilege escalation, or may use various tactics to obtain administrator credentials.

For example, to gain admin access to targeted devices, they can use:

• Default Login Credentials: Many Cisco devices ship with the default user name and password “cisco:cisco” or “admin:admin”, which many fail to change
• Phishing: The most common method attackers use to collect credentials is tricking employees into logging into a fake router UI or spoofing an email from the router itself with a link to the page connection “asking to update firmware”.
• Social Engineering: Attackers also successfully exploit human weakness by social engineering someone to hand over credentials

Once this requirement is met, attackers can exploit CVE-2023-20076 for “unrestricted access, allowing malicious code to hide in the system and persist across reboots and firmware upgrades.” as the researchers explain.

“Bypassing this security measure means that if an attacker exploits this vulnerability, the malicious package will continue to function until the device is factory reset or until it is manually removed.”

This is possible because command injection bypasses the mitigations Cisco has put in place to prevent the vulnerability from persisting across system reboots or resets.

Cisco’s Product Security Incident Response Team (PSIRT) says it has found no evidence that this vulnerability is being exploited in the wild.

In January, Cisco notified customers of a critical authentication bypass vulnerability (CVE-2023-20025) with public exploit affecting several end-of-life VPN router models.

A week later, Censys found more than 20,000 Cisco RV016, RV042, RV042G and RV082 routers unpatched against CVE-2023-20025 and exposed to attacks.