• Home
  • |
  • Blog
  • |
  • How to Fix CVE-2023-20076- A Command Injection Vulnerability in Cisco IOx Application Hosting Environment?
How to Fix CVE-2023-20076- A Command Injection Vulnerability in Cisco IOx Application Hosting Environment

The network appliances manufacturer giant Cisco published an advisory on 1st February 2023 (Updated on 3rd February 2023) in which Cisco detailed an unauthenticated command injection vulnerability in the Cisco IOx application hosting environment. The vulnerability tracked as CVE-2023-20076 is a High severity vulnerability with a CVSS score of 7.2 out of 10. The vulnerability is due to incomplete sanitization of parameters that are passed in for activation of an application. Since an attacker can execute arbitrary commands as root on the underlying host operating system of vulnerable devices by abusing this vulnerability, it is most important to fix the CVE-2023-20076 vulnerability. Let’s see how to fix CVE-2023-20076, A command injection vulnerability in the Cisco IOx application hosting environment, in this post.

A Short Note on Cisco IOx Application Hosting Environment

Cisco IOx is a highly advanced and innovative hosting environment for the Internet of Things (IoT) applications. Cisco IOx is designed to provide the scalability, reliability, and performance that IoT applications require. The platform supports multiple operating systems, including Linux, and provides a secure environment for your applications to run in. This ensures that your applications are protected from potential security threats and that they have the ability to run uninterrupted and efficiently. Additionally, the IOx platform provides a wide range of services that allow developers to create and deploy IoT applications in a matter of minutes.

Summary of CVE-2023-20076

This is an authenticated command injection vulnerability in the Cisco IOx application hosting environment, a centralized hosting environment for the Internet of Things (IoT) applications. The flaw is due to incomplete sanitization of parameters that are passed in for activation of an application. This vulnerability could allow attackers to execute arbitrary commands as root on the underlying host operating system of the affected products. The attacker could exploit this vulnerability by deploying and activating an application with a specially crafted activation payload file.

https://players.brightcove.net/21712694001/OsCjrUQjY_default/index.html?videoId=6319575040112

According to the Trellix, a security firm who disclosed the flaw survive system reboots and firmware updates. an attacker exploits this vulnerability, the malicious package will keep running until the device is factory reset or until it is manually deleted. At this point, countless damages could have occurred.

According to the Trellix, a security firm who disclosed the flaw survive system reboots and firmware updates. an attacker exploits this vulnerability, the malicious package will keep running until the device is factory reset or until it is manually deleted. At this point, countless damages could have occurred.
– Terllix
Associated CVE IDCVE-2023-20076
DescriptionA Command Injection Vulnerability in Cisco IOx Application Hosting Environment
Associated ZDI ID
CVSS Score7.2 High
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)High
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Cisco Products Vulnerable to CVE-2023-20076

Cisco advisory says that this authenticated command injection vulnerability affects Cisco devices running Cisco IOS XE Software with no native docker support and Cisco IOx feature enabled on them. 

  • 800 Series Industrial ISRs
  • CGR1000 Compute Modules
  • IC3000 Industrial Compute Gateways (releases 1.2.1 and later run native docker)
  • IR510 WPAN Industrial Routers
See Also  How ChatGPT and AI Technologies are Being Used in Virtual Kidnapping Scams?- Another Example of AI Abuse

How Do You Determine Your Cisco Product is vulnerable to CVE-2023-20076?

Cisco products which don’t have native docker support are vulnerable to the CVE-2023-20076 vulnerability. If you are able to find the status of docker support on your Cisco product, you can tell your product is prone to vulnerability.

The easiest way to do this is to run show iox command on the Cisco device. If you see Dockerd in the command output, then your device supports docker. If not, then your device doesn’t support docker. As simple as that. There is another way to find it. You need to look into the IOx Platform Support Matrix published by Cisco. On this matrix, Cisco listed the products with docker support information. 

Here you see the sample output of the command. 

Switch#show iox 
IOx Infrastructure Summary:
---------------------------
IOx service (CAF)              : Running
IOx service (HA)               : Running
IOx service (IOxman)           : Running
IOx service (Sec storage)      : Running
Libvirtd 5.5.0                 : Running
Dockerd v19.03.13-ce   :  Running
Sync Status                    : Disabled

Switch#

Cisco Products Not Vulnerable to CVE-2023-20076

Cisco has confirmed that the following Cisco products are not affected by the flaw:

  • Catalyst 9000 Series Switches (native docker is supported in all releases)
  • Cisco Catalyst 9100 Family of Access Points (COS-AP)
  • IOS XR Software
  • Meraki products
  • NX-OS Software (native docker is supported in all releases)

How to Fix CVE-2023-20076- A Command Injection Vulnerability in Cisco IOx Application Hosting Environment?

Cisco has released security patches to fix the CVE-2023-20076 vulnerability. Please refer to this table to see the vulnerable versions of Cisco products and the release version with recommended fixes. We recommend upgrading to an appropriate fixed software release, as shown below table, to fix the vulnerability. 

Cisco PlatformFirst Fixed Release
800 Series Industrial ISRs15.9(3)M7
CGR1000 Compute Modules1.16.0.1
IC3000 Industrial Compute Gateways1.4.2
IOS XE-based devices configured with IOx17.6.517.9.217.10.1For more information, see the Cisco IOS and IOS XE Software Checker in the next section.
IR510 WPAN Industrial Routers1.10.0.1

Unfortunately, there are no known workarounds to fully address these vulnerabilities. However, administrators can reduce the risk of exploitation by disabling the Cisco IOx feature permanently on the device. You can run the no iox command to disable the 1Ox feature forever. 

Cisco Software Checker Utility

Cisco has published the Cisco Software Checker service to search for Cisco Security Advisories for specific Cisco IOS, IOS XE, NX-OS, and NX-OS in ACI Mode software releases. We recommend using this awesome tool from Cisco to ensure no advisories are skipped to action against the discovered known vulnerabilities.

For Example: if you want to check the advisories for Cisco ISO XE Software. Select your Cisco Operating System, NX-OS Platform, and NX-OS release versions from the dropdown. Click the Continue button. Select the Advisory Impact Rating, then click the Continue button again. You will see a list of Security Advisories That Affect This Release.

Cisco Software Checker Utility

We hope this post helps you know how to fix CVE-2023-20076, A command injection vulnerability in Cisco IOx application hosting environment. Please share this post if you find this interested. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, Medium & Instagram, and subscribe to receive updates like this.

See Also  How to Request a Certificate From Windows ADCS?

Read More:

About the author

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience spanning IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

To know more about him, you can visit his profile on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.