Overview
A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to read or write arbitrary data on the underlying host operating system.
Impact
This vulnerability exists because a real path check is not performed on the requested data. An attacker could exploit this vulnerability by creating a symbolic link within the deployed application and requesting data using the API.
Details
A successful exploit could allow the attacker to read or execute arbitrary code as root on the underlying host operating system.
Solution
Security patch
Upgrade to patched version (see above).
Workaround
There are no workarounds that address this vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-20720
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-yuXQ6hFj
Credits
Orange CERT-CC
Cyrille CHATRAS at Orange group
Timeline
Date reported: June 06, 2021
Date fixed: April 13, 2022
Overview
A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to read or write arbitrary data on the underlying host operating system.
Impact
This vulnerability exists because a real path check is not performed on the requested data. An attacker could exploit this vulnerability by creating a symbolic link within the deployed application and requesting data using the API.
Details
A successful exploit could allow the attacker to read or execute arbitrary code as root on the underlying host operating system.
Solution
Security patch
Upgrade to patched version (see above).
Workaround
There are no workarounds that address this vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-20720
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-yuXQ6hFj
Credits
Orange CERT-CC
Cyrille CHATRAS at Orange group
Timeline
Date reported: June 06, 2021
Date fixed: April 13, 2022