Overview
From GGSN/SPGW mobile core network device, running on StarOS, an attacker with a account allowed to connect to device through a valid SSH key could connect to any user account defined with SSH key authentication method.
Details
Knowning a user with high-privilege allowed to connect to the device via SSH Key method, a low privilege user could gain privilege access to the affected device.
Affected versions
GGSN / SPGW on mobile core network
- ASR5000: R21.22, R21.27
- vPoP: R21.22, R21.28
Proof of Concept
See the figure
1- Theft of SSH key of a user (with low-privilege) allowed to connect to the device
2- Known a user (with high-privilege) allowed to connect to the device via SSH Key method
2- Launch SSH connection as usurped user account using SSH key low-privilege
Solution
Security patch
Upgrade to patched Cisco StarOS release, as described in Cisco Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-20046
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-staros-ssh-privesc-BmWeJC3h
Credits
Orange CERT-CC
Adrien MOURIER at Orange group
Timeline
Date reported: December 15, 2022
Date fixed: April 19, 2023
Overview
From GGSN/SPGW mobile core network device, running on StarOS, an attacker with a account allowed to connect to device through a valid SSH key could connect to any user account defined with SSH key authentication method.
Details
Knowning a user with high-privilege allowed to connect to the device via SSH Key method, a low privilege user could gain privilege access to the affected device.
Affected versions
GGSN / SPGW on mobile core network
Proof of Concept
See the figure
1- Theft of SSH key of a user (with low-privilege) allowed to connect to the device
2- Known a user (with high-privilege) allowed to connect to the device via SSH Key method
2- Launch SSH connection as usurped user account using SSH key low-privilege
Solution
Security patch
Upgrade to patched Cisco StarOS release, as described in Cisco Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-20046
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-staros-ssh-privesc-BmWeJC3h
Credits
Orange CERT-CC
Adrien MOURIER at Orange group
Timeline
Date reported: December 15, 2022
Date fixed: April 19, 2023