The Most Recent Dataprise News and Awards

MSP Cloud Verify logo Inc.5000 logo CRAINS Best Places to Work in NYC logo
Dataprise Completes MSP Verify Certification with SOC 2 Type 2 Audit Computerworld Best Places to Work logo MSP 501 Winner logo CRN MSP 500 logoCRN MSP 500 logo
Tech Elite 250 logo MSP Cloud Verify logo Inc.5000 logo
CRN MSP 500 logo Dataprise Completes MSP Verify Certification with SOC 2 Type 2 Audit Computerworld Best Places to Work logo CRAINS Best Places to Work in NYC logo MSP 501 Winner logo

Global Service Alert

Published: 01/21/2022 15:39 EST

Cisco CLI Command Injection Vulnerability

EXECUTIVE SUMMARY:

Cisco has identified a new vulnerability affecting:

  • SD-WAN -vEdge, IOS XE hardware; vBond, vManage, vSmart, IOS XR software
  • Ultra Gateway
  • Network Services Orchestrator
  • Virtual Topology System
  • Enterprise NFV Infrastructure Software
  • ConfD

This is a Command Line Interface (CLI) vulnerability on a number of Cisco products. There is no workaround, only (free) software updates.  It uses the on-device management framework (ConfD) to execute commands with root privileges.  

Left unpatched, this vulnerability allows unauthenticated attackers to perform command injection attacks.

 

ID: D3-2022-0003

Severity: 8.8 (HIGH)



IMPACT

In essence, an unauthenticated attacker is able to execute code as a root user on the operating system due to improper validation of processes.


DETAILED ANALYSIS

This vulnerability is due to insufficient validation of a process argument on an affected product. An attacker could exploit this vulnerability by injecting commands during the execution of this process. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the management framework process, which are commonly root privileges.

 

DISCLOSED VULNERABILITIES

  • Multiple Cisco Products CLI Command Injection Vulnerability (High CVSS 8.8)
    • CVE-2022-20655
  • ConfD CLI Command Injection Vulnerability (High CVSS 8.8)
    • CVE-2022-20655

 

MITIGATION STEPS

Updating software immediately or through regular processes is the only solution to this issue.

Should the owner of the device have access to service/support contracts, customers may now download from the site provided, but Cisco advises consulting with the Cisco Security Advisories page for full exposure and upgrade solutions.

Customers without service contracts should contact the Cisco TAC, but free software updates are available, regardless of licensing.

 

Cisco Product

Cisco Bug ID

First Fixed Release

Mobile Internet

Ultra Gateway Platform

CSCvz49669

6.15.0

Network Management and Provisioning

Enterprise NFV Infrastructure Software (NFVIS)

CSCvm76596

3.12.1

Network Services Orchestrator (NSO)

CSCvq22323

4.3.9.1, 4.4.5.6, 4.4.8, 4.5.7, 4.6.1.7, 4.6.2, 4.7.1, 5.1.0.1, 5.2

Virtual Topology System (VTS)

CSCvq58164

2.6.5

Optical Networking

Carrier Packet Transport

CSCvq58204

End of software maintenance. No fix available. See the next section.

Routing and Switching - Enterprise and Service Provider

IOS XE SD-WAN

CSCvq58224

16.10.2, 16.12.1b, 17.2.1r

IOS XR (64-bit) Software

CSCvq58168

7.0.2, 7.1.1

Network Convergence System (NCS) 4009, 4016

CSCvq58183

6.5.32 (Jan 2022)

SD-WAN vBond Software

CSCvq58226

18.4.4, 19.2.1, 19.3.0, 20.1.1

SD-WAN vEdge Routers

CSCvq58226

18.4.4, 19.2.1, 19.3.0, 20.1.1

SD-WAN vManage Software

CSCvq58226

18.4.4, 19.2.1, 19.3.0, 20.1.1

SD-WAN vSmart Software

CSCvq58226

18.4.4, 19.2.1, 19.3.0, 20.1.1

 

ConfD Release

First Fixed Release

6.3 and earlier

6.3.9.1

6.4

6.4.7.2 and 6.4.8

6.5

6.5.7

6.6

6.6.2

6.7

6.7.1

7.1 and later

Not vulnerable


SOURCES

 

CONTRIBUTING AUTHORS

  • Stephen Jones, Vice President, Cybersecurity Services
  • Sam Bourgeois, vCISO
  • Maximo Bredfeldt, vCISO


View all active Global Service Alerts











Contact Us To Get Started Winning With IT Today!

If your business is looking to partner with a local IT support company that will learn the intimate details of your business technology and process, while also having the experience to manage and advise you on your day-to-day technology challenges, just fill out our contact form below and one of our consultants will contact you shortly.