This week, Cisco released security updates to address a serious vulnerability in the Cisco IOx application hosting environment. This vulnerability can be exploited in command injection attacks and is caused by incomplete sanitization of parameters passed during the app activation process. It was discovered and reported by Sam Quinn and Kasimir Schulz from the Trellix Advanced Research Center. If the attack is successful, it allows remote attackers with administrative access to execute commands with root permissions on the underlying operating system. To exploit this vulnerability, an attacker would deploy and activate an application in the Cisco IOx application hosting environment with a crafted activation payload file. The affected devices include 800 Series Industrial ISR routers, CGR1000 compute modules, IC3000 industrial compute gateways, IR510 WPAN industrial routers, and Cisco Catalyst access points. However, Catalyst 9000 Series switches, IOS XR and NX-OS software, and Meraki products are not affected. Cisco has not found any evidence that this vulnerability is being exploited in the wild. In January, Cisco warned customers of a critical authentication bypass vulnerability with public exploit code affecting multiple models of end-of-life VPN routers. If this vulnerability is exploited, the malicious package will remain until the device is factory reset or manually deleted. This is because the command injection bypasses the mitigations put in place by Cisco to prevent vulnerability persistence between system reboots or system resets.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 02 Feb 2023 17:06:02 +0000