Cisco patches high and critical flaws across several products

Cisco fixed serious vulnerabilities across several of its products this week, including in its Industrial Network Director, Modeling Labs, ASR 5000 Series Routers, and BroadWorks Network Server. The flaws can lead to administrative command injection, authentication bypass, remote privilege escalation and denial of service.

The Cisco Industrial Network Director (IND), a network monitoring and management server for operational technology (OT) networks, received patches for two vulnerabilities rated critical and medium respectively. These were fixed in version 1.11.3 of the software.

The critical flaw, CVE-2023-20036, is in the web-based user interface of Cisco IND and could allow authenticated remote attackers to execute arbitrary commands on the underlying Windows operating system with administrative privileges (​​NT AUTHORITY\SYSTEM). The vulnerability is the result of insufficient input validation in the functionality that allows users to upload Device Packs.

The medium-risk flaw fixed in Cisco IND, CVE-2023-20039, is the result of insufficiently strong file permissions by default on the application data directory. A successful exploit could allow an authenticated attacker to access sensitive information and files from this directory.

Cisco Modeling Labs flaw could allow for unauthorized remote access

Cisco Modeling Labs, an on-premise network simulation tool, has a critical vulnerability (CVE-2023-20154) that results from processing certain messages from an external LDAP authentication server, which could allow an unauthenticated remote attacker to gain access to the tool’s web interface with administrative privileges. This would give them access to view and modify all simulations and user-created data.

The flaw impacts Modeling Labs for Education, Modeling Labs Enterprise and Modeling Labs – Not For Resale, but not Modeling Labs Personal and Personal Plus. It can only be exploited if the external LDAP server is configured in a way that it responds to search queries with a non-empty array of matching entries. The configuration of the LDAP server can be changed by an administrator to mitigate this flaw as a temporary workaround, but customers are advised to upgrade Modeling Labs to version 2.5.1 to fix the vulnerability.

Privilege escalation possible with Cisco StarOS flaw

The Cisco StarOS Software which is used on ASR 5000 Series Routers, but also on the Virtualized Packet Core – Distributed Instance (VPC-DI) and Virtualized Packet Core – Single Instance (VPC-SI) solutions, has a high-risk vulnerability (CVE-2023-20046) in its implementation of key-based SSH authentication.

In particular, if an attacker sends an authentication request over SSH from an IP address configured as the source for a high-privileged account, but instead provides the SSH key for a low-privileged account, the system will authenticate them as the high-privileged account even though they didn’t provide the correct SSH key. This results in privilege escalation and is the result of insufficient validation of the supplied credentials.

As a workaround, administrators could configure all user accounts that are approved for SSH key-based authentication to use different IP addresses. However, Cisco recommends upgrading to a fixed version of the software.

Cisco BroadWorks vulnerability could lead to denial of service

The Cisco BroadWorks Network Server received a patch for a high-risk vulnerability (CVE-2023-20125) in its TCP implementation that could lead to a denial-of-service condition. The flaw results from a lack of rate limiting for incoming TCP connections, allowing unauthenticated remote attackers to send a high rate of TCP connections to the server and exhaust its system resources. Customers are advised to deploy the or RI.2023.02 patches.

Cisco also patched several medium-risk flaws this week in its TelePresence Collaboration Endpoint and RoomOS, Cisco SD-WAN vManage Software and the Cisco Packet Data Network Gateway. These can result in arbitrary file write, arbitrary file deletion and IPsec ICMP denial of service.