Table of Contents
  • Home
  • /
  • Blog
  • /
  • How to Fix CVE-2023-20036 And CVE-2023-20039- Command Injection and File Permissions Vulnerabilities in Cisco Industrial Network Director (IND)?
April 20, 2023
|
10m

How to Fix CVE-2023-20036 And CVE-2023-20039- Command Injection and File Permissions Vulnerabilities in Cisco Industrial Network Director (IND)?


How To Fix Cve 2023 20036 And Cve 2023 20039 Command Injection And File Permissions Vulnerabilities In Cisco Industrial Network Director Ind

The network devices manufacturer giant Cisco published an advisory on 19th April 2023 in which Cisco detailed Command Injection and File Permissions Vulnerabilities in Cisco Industrial Network Director (IND). The vulnerability tracked as CVE-2023-20036 is a Critical severity vulnerability with a CVSS score of 9.9 out of 10. And the vulnerability tracked as CVE-2023-20039 is a Medium severity vulnerability with a CVSS score of 5.5 out of 10. Both the vulnerabilities are lice in the web-based user interface of affected Cisco IND. Since this flaw allows the authenticated attacker to to inject arbitrary operating system commands or access sensitive data of an affected device, it is most important to fix the CVE-2023-20036 And CVE-2023-20039 vulnerabilities. Let’s see how to fix CVE-2023-20036 And CVE-2023-20039, Command Injection and File Permissions Vulnerabilities in Cisco Industrial Network Director.

A Short Note About Cisco Industrial Network Director (IND):

Cisco Industrial Network Director (IND) is a network management solution designed for operational technology (OT) environments. It assists operations teams in deploying and monitoring Cisco Industrial Ethernet Switches in industrial networks. The main goal of Cisco IND is to improve system availability and reduce downtime, leading to increased efficiency in industrial settings.

Summary of CVE-2023-20036

This is a critical Command Injection vulnerability in the web UI of Cisco IND, a network management solution specifically designed for operational technology (OT) environments. The flaw is due to improper input validation when uploading a Device Pack and could be exploited by altering the request sent when uploading a Device Pack. This vulnerability could enable an authenticated attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device.

Associated CVE IDCVE-2023-20036
DescriptionA Critical Severity Command Injection Vulnerability in Cisco Industrial Network Director
Associated ZDI ID
CVSS Score9.9 critical
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Impact Score
Exploitability Score
Attack Vector (AV)Local
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)None
Integrity (I)None
availability (a)High

Summary of CVE-2023-20036

This is a medium severity File Permissions vulnerability in Cisco IND, a network management solution specifically designed for operational technology (OT) environments. The flaw is due to insufficient default file permissions that are applied to the application data directory and could be exploited by accessing files in the application data directory. This vulnerability could enable an attacker to view sensitive information of an affected device.

Associated CVE IDCVE-2023-20036
DescriptionA Medium Severity File Permissions Vulnerability in in Cisco Industrial Network Director
Associated ZDI ID
CVSS Score5.5 Medium
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Impact Score
Exploitability Score
Attack Vector (AV)Local
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)None
Integrity (I)High
availability (a)None

Cisco IND Versions Vulnerable to CVE-2023-20036

As per the advisory published by Cisco, all the versions of Cisco IND are affected, which is less than 1.11.3.

How to Fix CVE-2023-20036 And CVE-2023-20039- Command Injection and File Permissions Vulnerabilities in Cisco Industrial Network Director (IND)?

Unfortunately, there are no known workarounds to fully address these vulnerabilities. Cisco rolled out a patch by releasing v1.11.3. Users of Cisco IND are advised to upgrade to 1.11.3 to fix the Command Injection and File Permissions Vulnerabilities in Cisco Industrial Network Director.

How to Upgrade Cisco IND to 1.11.3?

Welcome to our comprehensive guide on upgrading the Cisco Industrial Network Director (IND) application on Microsoft Windows Operating Systems (OS). With this guide, we aim to provide you with the latest information to ensure a smooth and efficient installation/upgradation process, followed by easy access to the application after installation. By following our step-by-step instructions, you’ll unlock the full potential of your Cisco IND experience.

System Requirements for Cisco IND v1.11.x:

Before diving into the installation/upgradation process, it’s crucial to ensure that your system meets the minimum requirements to run the Cisco IND application. This section outlines the essential system specifications needed for a seamless experience.

Table 1. Essential System Requirements for Cisco IND

CategoryMinimum Requirement
Operating System (OS)Windows 10
Windows Server Support– Windows Server 2012 R2
– Windows Server 2016
– Windows Server 2019 R2
Browser Compatibility– Chrome: Version 50.0.2661.75 or 53.0.2785.116
– Firefox: 55.0.3, 57.0.4, 63.0.3 or above
RAM8 GB
CPUQuad-Core 1.8 GHz
Storage50 GB

Compatibility and Support:

It’s essential to note that the Cisco IND application v1.11.x exclusively supports 64-bit versions of the listed operating systems. Make sure your system is compatible before proceeding with the installation.

Pre-Installation Checks to Install or Upgrade Cisco IND v1.11.X:

Before embarking on a new installation or upgrading your existing IND software, follow these crucial steps to ensure a smooth and seamless process.

  • Consistent User Account: Use the same user account for both installation and upgrade to maintain consistency and prevent potential issues.

  • Computer Name Limitation: Ensure your computer name is no longer than 15 characters, as recommended for Windows systems.

  • Avoid Interrupting the Rollback Process: Do not manually stop the rollback process during its execution, as this may leave your system in an unstable state.

  • Password Policy Compliance: Make certain that your password policy allows for the initial password set for the Postgres user. The password pattern will be as follows:
    Ind$<16 digit alpha numeric characters ><computer name>

  • Granting Necessary Privileges: Confirm that the Postgres Windows user account created by the installer has not been denied the “Log on as a service” privilege by your administrator. To verify this, open the Local Security Policy and navigate to Local Security Settings\Local Policies\User Rights Assignment, ensuring that the Postgres user or Users group is not added to the “Deny log on as a service” list.

Pre-Installation Steps for the IND Software Package:

Before installing the IND software package, make sure to:

  • Close the Windows services management console.

  • Terminate any command prompt, notepad, or application with open IND files and folders.

  • Prevent the Windows machine hosting the IND software from being powered off abruptly, as this may lead to file loss and necessitate reinstallation. To safeguard against this, schedule periodic backup tasks after IND installation.

Note: Consult the Settings > Backup section of the Dashboard Help in IND after installation to learn how to schedule periodic upgrade backup tasks. Additionally, refer to the Restore Database Backup section of this document for instructions on restoring an earlier IND backup.

Ensuring Required Ports are Open

For proper functionality, open the necessary ports for inbound, outbound, and bidirectional traffic on your firewall. The default ports are as follows:

Inbound Traffic:

  • TCP ports: 21, 8088, 8443, 50000-50050

  • UDP port: 30162

Outbound Traffic:

  • TCP ports: 443, 80, 22, 23, 44818, 102, 502, 4840, 139, 1812

  • UDP ports: 161, 67, 2222, 34964, 4840

Both Inbound and Outbound Traffic:

  • TCP ports: 8910, 47808

Note: If any ports are customized during installation or within the access profile, open the corresponding ports in the firewall.

Closing Unnecessary Programs

Close the Windows services management console and any command prompt, notepad, or application with open IND files and folders.

Implementing PnP in Your Network:

When using PnP in your network, adhere to the following guidelines:

  1. Start and run an NTP server in the network, either on a separate Windows server or on the laptop or desktop where IND is installed.

  2. Keep the NTP service running at all times if using a separate Windows server in the network.

  3. When running an IE1000 switch in your network, add the NTP server IP address in the DHCP Option 43 field to support PnP.

  4. If running the NTP server on the IND server (laptop or desktop), follow these steps to start the Windows Time Service and ensure it runs continuously:a. Click the Start button and search for “services.msc” in the Search programs and files field.b. Locate Windows Time, check its current status, and open to make changes.c. Set the Startup type to Automatic.

By following this comprehensive guide to installing and upgrading IND software, you can ensure a smooth and successful process. Remember to adhere to the pre-installation steps, open the necessary ports, and implement PnP correctly to get the most out of your IND software.

Step-by-Step Instructions to Upgrade Cisco IND to 1.11.X

This comprehensive guide will walk you through the step-by-step process of upgrading Cisco IND to 1.11.x, ensuring a seamless transition. For comphrensive information, please refer to the official installation or upgradation guide and release notes.

Time needed: 30 minutes.

Instructions to Upgrade Cisco IND to 1.11.X

  1. Download the Cisco IND Software Package

    To begin, navigate to the Cisco Download Software page at https://software.cisco.com/download/home and follow this path: Products > Cloud and Systems Management > IoT Management and Automation > Industrial Network Director. From the Industrial Network Director software page, select the desired 1.11.x software release. Click on the download link for the required 1.11.x software release. This will initiate the download of the IND installer file (e.g., ind-1.11.0-xxx-installer.exe).

  2. Launch the Installer

    Double-click the downloaded installer file (e.g., ind-1.11.0-xxx-installer.exe) and click ‘Yes’ when prompted by the User Account Control to allow the installation on your system.

  3. Select Language

    In the Language Selection window, the default language will appear in the drop-down menu. This will be the same language you chose during the original installation. Click ‘OK’ to proceed.

  4. Confirm the Upgrade

    A pop-up window will appear, asking you to confirm the upgrade of your current IND application to the new version. Click ‘Yes’ to upgrade or ‘No’ to cancel the process.

  5. Navigate the Setup Wizard and Accept the License Agreement

    Upon reaching the Setup Wizard screen, click ‘Next’ to continue. At the License Agreement page, select the ‘I accept the agreement’ radio button, and click ‘Next’.

  6. Begin Installation

    On the Ready to Install screen, click ‘Next’ to start the installation of the IND application on your system. For upgrades, you can choose the ‘Customize’ option, which allows for system profile selection. The same system profile you chose during the initial installation will apply after the upgrade.

    Important Notes Regarding IND Upgrades

    1. During an IND upgrade, a progress pop-up will display until all IND Services have initialized and become accessible. Depending on your PC configuration, this may take up to 8 minutes. Please wait for the initialization progress pop-up to complete.
    2. When upgrading from IND 1.8.0 release, the folder location is: %ALLUSERSPROFILE%\
    Cisco\Cisco Industrial Network Director for all upgrades from IND 1.8.0.
    3. The installer will create a backup of your existing installation before the upgrade, storing it in the installation directory. If the application is not reachable after the upgrade, you can restore IND to its previous state using this backup. To do this, copy the backup file to a separate directory outside the installation directory, uninstall and reinstall the previous version of IND, and then restore the backup.

We hope this post helped you know how to fix CVE-2023-20036 And CVE-2023-20039, Command Injection, and File Permissions Vulnerabilities in Cisco Industrial Network Director. Please share this post if you find this interested. Visit our social media page on FacebookLinkedInTwitterTelegramTumblrMedium & Instagram, and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe