Cisco has fixed a bug that allowing you to keep the backdoor even when updating

1 month ago · 0 comments

The malicious package will work until the device is reset to factory settings or until it is manually removed.

Cisco released security updates this week to address a dangerous vulnerability in the Cisco IOx application hosting environment that could be used for command injection attacks.

Vulnerability CVE-2023-20076 (CVSS: 7.2) is associated with incomplete cleaning of parameters passed during application activation. This was reported by security researchers from the Trellix Advanced Research Center.

The bug allows a remote, authorized attacker to execute commands with root permissions on the underlying operating system without user interaction. A hacker can deploy and activate an application in a Cisco IOx hosting environment using the generated activation payload file.

The company says the vulnerability affects the following Cisco devices:

devices based on IOS XE, but only if they do not support native docker;
industrial routers ISR series 800;
computing modules CGR1000;
industrial computing gateways IC3000;
industrial routers IR510 WPAN;
Cisco Catalyst Access Points (COS-APs).

The company also confirmed that the CVE-2023-20076 vulnerability does not affect Catalyst 9000 series switches, IOS XR and NX-OS software, or Meraki products.

Saved on reboot

An attacker could only exploit this vulnerability if they have authenticated administrative access to the affected systems. However, Trellix researchers explained that cybercriminals use other flaws to allow privilege escalation, or may use different tactics to obtain administrator credentials.

For example, to gain administrator access to target devices, they can use:

Default Login Credentials: Many Cisco devices come with a default username and password of "cisco:cisco" or "admin:admin", which many users cannot change;
Phishing: Hackers can trick employees into logging into a fake router user interface, or spoof an email from the router itself with a link to a login page "requesting a firmware update";
Social engineering: attackers convince the user to pass credentials.

According to experts, after obtaining the credentials, a cybercriminal can use CVE-2023-20076 to gain “unrestricted access, allowing malicious code to hide in the system and persist across reboots and firmware updates. The malicious package will work until the device is reset to factory settings or until it is manually removed.

The Cisco Product Security Incident Response Team (PSIRT) states that it has found no evidence that this vulnerability is being exploited in a real-world environment.