- A high-severity problem that affects Cisco’s IOx application hosting environment has been acknowledged and addressed by the company.
- If a Cisco device has the Cisco IOx feature activated and does not support native Docker, it is vulnerable to this exploit if it is running Cisco IOS XE software.
- To fix the flaws, Cisco has made free software updates available. Additionally, Cisco advises users to update to a corrected software release.
Cisco IOS XE is a software-based, modular operating system for Cisco hardware platforms. It includes the Cisco NX-OS Software and the Cisco IOS Software. Cisco has confirmed that it has fixed a high-severity flaw that is impacting its IOx application hosting environment. The vulnerability could allow someone to exploit it by deploying and activating an application in the Cisco IOx application hosting environment. The vulnerability was tracked as CVE-2023-20076.
This vulnerability affects Cisco devices that are running Cisco IOS XE Software if they have the Cisco IOx feature enabled and they do not support native docker. his vulnerability also affects the following Cisco products, which do not support native docker, if they are running a vulnerable software release and have the Cisco IOx feature enabled:
- 800 Series Industrial ISRs.
- CGR1000 Compute Modules.
- IC3000 Industrial Compute Gateways (releases 1.2.1 and later runs native docker).
- IR510 WPAN Industrial Routers.
Products Confirmed Not Vulnerable
- Catalyst 9000 Series Switches (native docker is supported in all releases)
- Cisco Catalyst 9100 Family of Access Points (COS-AP)
- IOS XR Software
- Meraki products
- NX-OS Software (native docker is supported in all releases)
Sam Quinn and Kasimir Schulz of the Trellix Advanced Research Center found an issue with how tar archives are extracted which could allow an attacker to write on the underlying operating system as root. Cisco confirms that an issue exists with an unsupported compression algorithm, but says that there is no immediate way to exploit it. In the case that a future platform does not support the compression algorithm, Cisco has found a solution to this problem.
Cisco has released free software updates that address the vulnerabilities. Cisco also recommends that customers upgrade to a fixed software release. The first release that includes the fix for this vulnerability is listed in the right column.