Cisco
fixed
a
high-severity
flaw
in
the
IOx
application
hosting
environment
that
can
be
exploited
in
command
injection
attacks.
Cisco
has
released
security
updates
to
address
a
command
injection
vulnerability,
tracked
as
CVE-2023-20076,
in
the
Cisco
IOx
application
hosting
environment.
“A
vulnerability
in
the
Cisco
IOx
application
hosting
environment
could
allow
an
authenticated,
remote
attacker
to
execute
arbitrary
commands
as root on
the
underlying
host
operating
system.”
reads
the
advisory
published
by
the
IT
giant.
The
root
cause
of
the
flaw
is
the
incomplete
sanitization
of
parameters
that
are
passed
in
for
activation
of
an
application.
“An
attacker
could
exploit
this
vulnerability
by
deploying
and
activating
an
application
in
the
Cisco
IOx
application
hosting
environment
with
a
crafted
activation
payload
file.”
continues
the
advisory.
“A
successful
exploit
could
allow
the
attacker
to
execute
arbitrary
commands
as root on
the
underlying
host
operating
system.”
The
CVE-2023-20076
flaw
affects
devices
that
are
running
Cisco
IOS
XE
Software
if
they
have
the
IOx
feature
enabled
and
they
do
not
support
native
docker.
The
vulnerability
also
impacts
the
following
products,
which
do
not
support
native
docker,
if
they
are
running
a
vulnerable
software
release
and
have
the
Cisco
IOx
feature
enabled:
-
800
Series
Industrial
ISRs -
Catalyst
Access
Points
(COS-APs) -
CGR1000
Compute
Modules -
IC3000
Industrial
Compute
Gateways
(software
releases
earlier
than
1.2.1) -
IR510
WPAN
Industrial
Routers
The
vulnerability
was
discovered
by
the
researchers
Sam
Quinn
and
Kasimir
Schulz
from
the
Trellix
Advanced
Research
Center.
The
flaw
doesn’t
affect
Catalyst
9000
Series
switches,
IOS
XR
and
NX-OS
software,
or
Meraki
products.
Cisco’s
Product
Security
Incident
Response
Team
(PSIRT)
confirmed
that
it
is
not
aware
of
attacks
in
the
wild
exploring
this
flaw.
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
command
injection)