Threat Watch

Cisco Devices Left Vulnerable After Bugs are Discovered

A security vulnerability has been found in Cisco gear used in various industries worldwide. In total, there are two bugs believed to be causing issues and affecting products such as Cisco ISR 4431 routers, 800 Series Industrial ISRs, CGR1000 Compute Modules, IC3000 Industrial Compute Gateways, IOS XE-based devices configured with IOx, IR510 WPAN Industrial Routers, Cisco Catalyst Access points. The two bugs in question, CSCwc67015, and CVE-2023-20076 could allow threat actors to gain unauthorized access to the devices mentioned along with other abilities they may have after accessing them. Typically, Cisco prevents an attack from remaining a problem through reboots and system resets; however, the command injection flaw, CVE-2023-20076, can persist even through firmware upgrades and device reboots. The only two options for a user are to either perform a factory reset or to find the malicious code on their own and remove it.

ANALYST NOTES

Exploiting these bugs would require a threat actor to obtain admin-level access on the local device. However, given that many deployments are likely not to change the default device passwords, threat actors may not have much difficulty obtaining those admin credentials.

Researchers at Trellix have advised those using the Cisco products to check for any abnormal containers installed on relevant Cisco devices, and recommended that organizations that don’t run containers disable the IOx container framework entirely. Most important of all, they emphasized, was that “organizations with affected devices should update to the latest firmware immediately.” Patching devices and changing default admin passwords are highly recommended.

https://www.darkreading.com/ics-ot/command-injection-bug-cisco-industrial-gear-devices-complete-takeover