CERT-In Vulnerability Note
CIVN-2023-0086
Multiple Vulnerabilities in Cisco
Original Issue Date:March 23, 2023
Severity Rating: HIGH
Component Affected
- Business 150 APs and 151 Mesh Extenders
- Catalyst 9100 Aps
- Cisco IOS XE Software releases 17.9.1, 17.9.1a, or 17.9.1w
- Cisco IOS or IOS XE Software
- Catalyst 9800 Embedded Wireless Controllers
- Catalyst 9800-CL Wireless Controllers for Cloud
- Embedded Wireless Controllers on Catalyst Access Points
- 1000 Series Integrated Services Routers
- 4000 Series Integrated Services Routers
- Catalyst 8000V Edge Software Routers
- Catalyst 8200 Series Edge Platforms
- Catalyst 8300 Series Edge Platforms
- Catalyst 8500L Series Edge Platforms
- Cloud Services Router 1000V Series
- Cisco DNA Center
- Cisco Catalyst 9300 Series Switches
- Cisco IOS XE SD-WAN Software
Overview
Multiple Vulnerabilities have been reported in the IPv4 Virtual Fragmentation Reassembly (VFR), fragmentation handling code of tunnel protocol packets, HTTP-based client profiling feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs), Cisco access point (AP) feature of Cisco IOS XE Software , Cisco DNA Center , Cisco Catalyst 9300 Series Switches and CLI of Cisco IOS XE SD-WAN Software which could allow an unauthenticated, remote attacker to reload that cause a denial of service (DoS) condition on an affected device , elevate privileges in the context of the web-based management interface on an affected device and an authenticated, local attacker to execute arbitrary commands with elevated privileges.
Description
1. Privilege Escalation Vulnerability
(
CVE-2023-20055
CVE-2023-20065
)
These Vulnerabilities exist in the management API of Cisco DNA Center due to unintended exposure of sensitive information and insufficient restrictions on the hosted application. An attacker could exploit these vulnerabilities by inspecting the responses from the API and logging in to and then escaping the Cisco IOx application container.
Successful exploitation of these vulnerabilities could allow the attacker to access the API with the privileges of a higher-level user account and to execute arbitrary commands on the underlying operating system with root privileges.
2. Denial of Service Vulnerability
(
CVE-2023-20072
CVE-2023-20080
CVE-2023-20067
CVE-2023-20112
CVE-2023-20027
)
These vulnerabilities exist in Cisco IOS XE Software due to improper reassembly of large packets that occurs when VFR is enabled on either a tunnel interface or on a physical interface that is configured with a maximum transmission unit (MTU) greater than 4,615 bytes, improper handling of large fragmented tunnel protocol packets, insufficient validation of data boundaries, trigger, input validation of received traffic and insufficient validation of certain parameters within 802.11 frames. An attacker could exploit these vulnerabilities by sending fragmented packets through a VFR-enabled interface, crafted DHCPv6 messages, crafted traffic through a wireless access point and a wireless 802.11 association request frame with crafted parameters to an affected device.
Successful exploitation of these vulnerabilities could allow the attacker to cause the device to reload and CPU utilization to increase resulting in a DoS condition.
3. Bypass Vulnerability
(
CVE-2023-20082
)
This Vulnerability exists in the Cisco IOS XE Software for Cisco Catalyst 9300 Series Switches due to errors that occur when retrieving the public release key that is used for image signature verification. An attacker could exploit this vulnerability by modifying specific variables in the Serial Peripheral Interface (SPI) flash memory of an affected device.
Successful exploitation of this vulnerability could allow the attacker to execute persistent code on the underlying operating system.
4. Command Injection Vulnerability
(
CVE-2023-20035
)
This Vulnerability exists in the CLI of Cisco IOS XE SD-WAN Software due to insufficient input validation by the system CLI. An attacker could exploit this vulnerability by first authenticating to an affected device using either local terminal access or a management shell interface and then submitting crafted input to the system CLI.
Successful exploitation of this vulnerability could allow the attacker to execute commands on the underlying operating system with root-level privileges.
Solution
Apply appropriate updates as mentioned in:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv4-vfr-dos-CXxtFacb
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-priv-escalate-Xg8zkyPk
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-sdwan-VQAhEjYw
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-gre-crash-p6nE5Sq5
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-dhcpv6-dos-44cMvdDK
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-dos-wFujBHKw
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-privesc-QFXe74RS
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9300-spi-ace-yejYgnNQ
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-assoc-dos-D2SunWK2
Vendor Information
CISCO
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-priv-escalate-Xg8zkyPk
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv4-vfr-dos-CXxtFacb
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-sdwan-VQAhEjYw
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-gre-crash-p6nE5Sq5
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-dhcpv6-dos-44cMvdDK
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-dos-wFujBHKw
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-privesc-QFXe74RS
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9300-spi-ace-yejYgnNQ
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-assoc-dos-D2SunWK2
References
CISCO
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv4-vfr-dos-CXxtFacb
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-priv-escalate-Xg8zkyPk
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-sdwan-VQAhEjYw
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-gre-crash-p6nE5Sq5
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-dhcpv6-dos-44cMvdDK
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-dos-wFujBHKw
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-privesc-QFXe74RS
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9300-spi-ace-yejYgnNQ
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-assoc-dos-D2SunWK2
CVE Name
CVE-2023-20027
CVE-2023-20055
CVE-2023-20082
CVE-2023-20035
CVE-2023-20072
CVE-2023-20080
CVE-2023-20067
CVE-2023-20112
CVE-2022-20072
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|