Among the most series flaws is a privilege escalation vulnerability in the authorisation controls of the IOx application hosting infrastructure in Cisco IOS XE Software releases 16.3.1 and later (CVE-2020-3227, CVSS base score 9.8).
“The vulnerability is due to incorrect handling of requests for authorisation tokens,” Cisco explains in an advisory. “An attacker could exploit this vulnerability by using a crafted API call to request such a token. An exploit could allow the attacker to obtain an authorisation token and execute any of the IOx API commands on an affected device.”
The two other critical flaws consisted of a remote code execution bug (CVE-2020-3198, CVSS base score 9.8) and a command injection bug (CVE-2020-3205, CVSS base score 8.8) in IOS for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000).
According to Cisco, the RCE bug, which can also cause a system to crash and reload, was discovered “in the area of code that manages inter-VM signaling of Cisco IOS Software. “The vulnerability is due to incorrect bounds checking of certain values in packets that are destined for UDP port 9700 of an affected device. An attacker could exploit this vulnerability by sending malicious packets to an affected device. When the packets are processed, an exploitable buffer overflow condition may occur.”
The command injection vulnerability was observed in the implementation of the inter-VM channel of Cisco IOS Software. According to Cisco, the bug is caused by insufficient validation of signaling packets and “could allow an unauthenticated, adjacent attacker to execute arbitrary shell commands on the Virtual Device Server (VDS) of an affected device.”
“An attacker could exploit this vulnerability by sending malicious packets to an affected device,” Cisco explains. “A successful exploit could allow the attacker to execute arbitrary commands in the context of the Linux shell of VDS with the privileges of the root user. Because the device is designed on a hypervisor architecture, exploitation of a vulnerability that affects the inter-VM channel may lead to a complete system compromise.”
Cisco also patched 22 high-level vulnerabilities; the remainder were of medium severity. Back on 1 June, Cisco also issued a separate advisory, announced it fixed a bug in the network stack of Cisco NX-OS Software that could allow unauthenticated, remote attacker to bypass security boundaries or cause a denial of service condition.
The bug was caused by affected devices “unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address, Cisco noted. More information on this “IP Encapsulation within IP” vulnerability (CVE-2020-10136) can be found here.
This article was first published in SC US.