Cisco Systems recently issued a series of security advisories addressing 47 vulnerabilities, including 3 critical ones discovered & fixed in IOS or IOS EX software.
Among the most serious were a privilege escalation vulnerability in the authorisation controls of the IOx application hosting infrastructure in Cisco IOS XE Software releases 16.3.1 & later (CVE-2020-3227, CVSS base score 9.8).
“The vulnerability is due to incorrect handling of requests for authorisation tokens,” Cisco outlined in their advisory. “An attacker could exploit this vulnerability by using a crafted API call to request such a token.
An exploit could allow the attacker to obtain an authorisation token & execute any of the IOx API commands on an affected device.”
Other Critical Flaws
The 2 other critical flaws were a remote code execution bug (CVE-2020-3198, CVSS base score 9.8) & a command injection bug (CVE-2020-3205, CVSS base score 8.8) in IOS for Cisco 809 & 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000).
Says Cisco, the RCE bug, which can also cause a system to crash & reload, was discovered “in the area of code that manages inter-VM signalling of Cisco IOS Software.
UDP port 9700
“The vulnerability is due to incorrect bounds checking of certain values in packets that are destined for UDP port 9700 of an affected device. An attacker could exploit this vulnerability by sending malicious packets to an affected device. When the packets are processed, an exploitable buffer overflow condition may occur.”
Command Injection Vulnerability
The command injection vulnerability was noticed in the implementation of the inter-VM channel of Cisco IOS Software. Observes Cisco, the bug is caused by ‘insufficient validation of signalling packets’ & “could allow an unauthenticated, adjacent attacker to execute arbitrary shell commands on the Virtual Device Server (VDS) of an affected device.”
“An attacker could exploit this vulnerability by sending malicious packets to an affected device,” Cisco explains. “A successful exploit could allow the attacker to execute arbitrary commands in the context of the Linux shell of VDS with the privileges of the root user.
Because the device is designed on a hypervisor architecture, exploitation of a vulnerability that affects the inter-VM channel may lead to a complete system compromise.”
Cisco also patched 22 high-level vulnerabilities; the remainder were of medium severity.
On June 1, Cisco also issued a separate advisory, announced it fixed a bug in the network stack of Cisco NX-OS Software that could allow unauthenticated, remote attacker to bypass security boundaries or cause a denial of service condition.
The bug was caused by affected devices “unexpectedly decapsulating & processing IP in IP packets that are destined to a locally configured IP address, Cisco observed.
More information on this “IP Encapsulation within IP” vulnerability (CVE-2020-10136) can be found here.