Summary:
This week, Cisco addressed several flaws impacting its Industrial Network Director, which is designed to help “operations teams gain full visibility of network and automation devices in the context of the automation process and provides improved system availability and performance, leading to increased overall equipment effectiveness.” Most severe of the flaws is CVE-2023-20036, a critical (CVSS: 9.9) command injection vulnerability in the web UI of Cisco IND that could allow unauthenticated remote attackers to execute arbitrary commands with administrative privileges on the compromised devices.

“This vulnerability is due to improper input validation when uploading a Device Pack. An attacker could exploit this vulnerability by altering the request that is sent when uploading a Device Pack. A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device” stated Cisco in an advisory published on Wednesday.

The other flaw addressed is being tracked CVE-2023-20039 and has been rated medium in severity (CVSS score: 5.5). CVE-2023-20039 relates to a File permissions vulnerability that could allow a local attacker to read application data. According to Cisco, “this vulnerability is due to insufficient default file permissions that are applied to the application data directory. An attacker could exploit this vulnerability by accessing files in the application data directory. A successful exploit could allow the attacker to view sensitive information.”

Analyst comments:
The flaws impact Cisco IND versions 1.10 and later and have been fixed in the 1.11.3 version release. As of writing Cisco is not aware of attacks in the wild exploiting these flaws. However, with the public disclosure, it won’t be long before actors leverage the exploits in attacks.

Mitigation:
Organizations should upgrade to a fixed software release as soon as possible to prevent potential exploitation.

Source:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ind-CAeLFk6V