SB2023020156 - OS command injection in Cisco IOx Application Hosting Environment

Description

This security bulletin contains information about 1 vulnerability.

1) OS Command Injection (CVE-ID: CVE-2023-20076)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the Cisco IOx application hosting environment when parsing parameters passed in for activation of an application. A remote authenticated user can pass specially crafted data and execute arbitrary OS commands as root on the underlying host system.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-8whGn5dL
• https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc66882