The network appliances manufacturer giant Cisco published an advisory on 1st February 2023 (Updated on 3rd February 2023) in which Cisco detailed an unauthenticated command injection vulnerability in the Cisco IOx application hosting environment. The vulnerability tracked as CVE-2023-20076 is a High severity vulnerability with a CVSS score of 7.2 out of 10. The vulnerability is due to incomplete sanitization of parameters that are passed in for activation of an application. Since an attacker can execute arbitrary commands as root on the underlying host operating system of vulnerable devices by abusing this vulnerability, it is most important to fix the CVE-2023-20076 vulnerability. Let’s see how to fix CVE-2023-20076, A command injection vulnerability in the Cisco IOx application hosting environment, in this post.
Table of Contents
A Short Note on Cisco IOx Application Hosting Environment
Cisco IOx is a highly advanced and innovative hosting environment for the Internet of Things (IoT) applications. Cisco IOx is designed to provide the scalability, reliability, and performance that IoT applications require. The platform supports multiple operating systems, including Linux, and provides a secure environment for your applications to run in. This ensures that your applications are protected from potential security threats and that they have the ability to run uninterrupted and efficiently. Additionally, the IOx platform provides a wide range of services that allow developers to create and deploy IoT applications in a matter of minutes.
Summary of CVE-2023-20076
This is an authenticated command injection vulnerability in the Cisco IOx application hosting environment, a centralized hosting environment for the Internet of Things (IoT) applications. The flaw is due to incomplete sanitization of parameters that are passed in for activation of an application. This vulnerability could allow attackers to execute arbitrary commands as root on the underlying host operating system of the affected products. The attacker could exploit this vulnerability by deploying and activating an application with a specially crafted activation payload file.
According to the Trellix, a security firm who disclosed the flaw survive system reboots and firmware updates. an attacker exploits this vulnerability, the malicious package will keep running until the device is factory reset or until it is manually deleted. At this point, countless damages could have occurred.According to the Trellix, a security firm who disclosed the flaw survive system reboots and firmware updates. an attacker exploits this vulnerability, the malicious package will keep running until the device is factory reset or until it is manually deleted. At this point, countless damages could have occurred.
|Associated CVE ID
|A Command Injection Vulnerability in Cisco IOx Application Hosting Environment
|Associated ZDI ID
|Attack Vector (AV)
|Attack Complexity (AC)
|Privilege Required (PR)
|User Interaction (UI)
Cisco Products Vulnerable to CVE-2023-20076
- 800 Series Industrial ISRs
- CGR1000 Compute Modules
- IC3000 Industrial Compute Gateways (releases 1.2.1 and later run native docker)
- IR510 WPAN Industrial Routers
How Do You Determine Your Cisco Product is vulnerable to CVE-2023-20076?
Cisco products which don’t have native docker support are vulnerable to the CVE-2023-20076 vulnerability. If you are able to find the status of docker support on your Cisco product, you can tell your product is prone to vulnerability.
The easiest way to do this is to run show iox command on the Cisco device. If you see Dockerd in the command output, then your device supports docker. If not, then your device doesn’t support docker. As simple as that. There is another way to find it. You need to look into the IOx Platform Support Matrix published by Cisco. On this matrix, Cisco listed the products with docker support information.
Here you see the sample output of the command.
IOx Infrastructure Summary:
IOx service (CAF) : Running
IOx service (HA) : Running
IOx service (IOxman) : Running
IOx service (Sec storage) : Running
Libvirtd 5.5.0 : Running
Dockerd v19.03.13-ce : Running
Sync Status : Disabled
Cisco Products Not Vulnerable to CVE-2023-20076
Cisco has confirmed that the following Cisco products are not affected by the flaw:
- Catalyst 9000 Series Switches (native docker is supported in all releases)
- Cisco Catalyst 9100 Family of Access Points (COS-AP)
- IOS XR Software
- Meraki products
- NX-OS Software (native docker is supported in all releases)
How to Fix CVE-2023-20076- A Command Injection Vulnerability in Cisco IOx Application Hosting Environment?
Cisco has released security patches to fix the CVE-2023-20076 vulnerability. Please refer to this table to see the vulnerable versions of Cisco products and the release version with recommended fixes. We recommend upgrading to an appropriate fixed software release, as shown below table, to fix the vulnerability.
|First Fixed Release
|800 Series Industrial ISRs
|CGR1000 Compute Modules
|IC3000 Industrial Compute Gateways
|IOS XE-based devices configured with IOx
|17.6.518.104.22.168.1For more information, see the Cisco IOS and IOS XE Software Checker in the next section.
|IR510 WPAN Industrial Routers
Unfortunately, there are no known workarounds to fully address these vulnerabilities. However, administrators can reduce the risk of exploitation by disabling the Cisco IOx feature permanently on the device. You can run the no iox command to disable the 1Ox feature forever.
Cisco Software Checker Utility
Cisco has published the Cisco Software Checker service to search for Cisco Security Advisories for specific Cisco IOS, IOS XE, NX-OS, and NX-OS in ACI Mode software releases. We recommend using this awesome tool from Cisco to ensure no advisories are skipped to action against the discovered known vulnerabilities.
For Example: if you want to check the advisories for Cisco ISO XE Software. Select your Cisco Operating System, NX-OS Platform, and NX-OS release versions from the dropdown. Click the Continue button. Select the Advisory Impact Rating, then click the Continue button again. You will see a list of Security Advisories That Affect This Release.
We hope this post helps you know how to fix CVE-2023-20076, A command injection vulnerability in Cisco IOx application hosting environment. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.