Cisco Patches Critical IOx Vulnerability

Cisco Systems patched a critical vulnerability that could give an attacker root privileges to software running on two of its IoT router models.

Cisco Systems patched a critical vulnerability Wednesday that could allow an unauthenticated, remote attacker to execute remote code on affected hardware and gain root privileges.

The bug is in Cisco’s Data-in-Motion (DMo) process, part of the company’s IOx application environment that marries its IOS networking software with Linux. According to a Security Advisory on Wednesday the vulnerability affects Cisco 800 series industrial integrated service router models IR809 and IR829.

Cisco says the vulnerability could allow an unauthenticated, remote attacker to cause a stack overflow that could allow an adversary to remotely execute code with root privileges in a virtual instance of the IOx software running on affected routers.

“An attacker could exploit this vulnerability by sending crafted packets that are forwarded to the DMo process for evaluation. The impacts of a successful exploit are limited to the scope of the virtual instance and do not impact the router that is hosting Cisco IOx,” according to the security advisory.

A patch addressing the vulnerability (CVE-2017-3853) is available but no workaround is available.

Both impacted models (IR809 and IR829) were recently showcased at GSMA Mobile World Congress as part of the company’s Management Platform for Cisco Field Area Networks (FAN). The routers are part of Cisco’s FAN architecture used by utilities firms to manage IoT endpoints like smart meters and streetlights.

On Wednesday, Cisco also advised customers of an additional six vulnerabilities, each rated high. For each of the flaws the firm has released software updates. Two of the vulnerabilities (CVE-2017-3852 & CVE-2017-3851) are related to the company’s application-hosting framework, something which impacts Cisco 800, 4000 and ASR 1000 series routers. Additional high impact vulnerabilities (CVE-2017-3864, CVE-2017-3857 & CVE-2017-3856), the company said, could each allow an unauthenticated, remote attacker to cause an affected device to reload.

One of the two remaining vulnerabilities rated high is a flaw (CVE-2017-3859) in the DHCP code for the Zero Touch Provisioning feature of Cisco ASR 920 Series Aggregation Services Routers that could allow an unauthenticated, remote attacker to cause an affected device to reload, Cisco said. The second (CVE-2017-3858) vulnerability, identified by Cisco, impacts the web framework in the company’s IOS XE software and could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

Suggested articles