At 16th of October, Cisco made a vulnerability public which affects Cisco IOS XE components – Cisco IOS XE Software Web UI Privilege Escalation Vulnerability. According the notes:
This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
Vulnerable products are components where the web UI feature is enable.
Components
The Oracle Orivate Cloud Appliance X9-2 contains several Cisco components – see: VPAT – Oracle Private Cloud Appliance X9-2:
- 4 Cisco Nexus 9336C Switch (2x Spine / 2x Leaf)
- 1 Cisco Nexus 9348 Switch (Management)
Decision Tree
The provided decision tree:
Verification
Let’s check the PCA components. Repeat the steps for all components according the IP list.
Switch | Name | IP |
Management | pcaswmn01 | 100.96.2.1 |
Spine | pcaswsp01 | 100.96.2.20 |
Spine | pcaswsp02 | 100.96.2.21 |
Leaf | pcaswlf01 | 100.96.2.22 |
Leaf | pcaswlf02 | 100.96.2.23 |
Login as admin User
Example Management Switch.
[root@pcamn01 ~]# ssh admin@100.96.2.20 Warning: Permanently added '100.96.2.20' (RSA) to the list of known hosts. User Access Verification Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (C) 2002-2019, Cisco and/or its affiliates. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under their own licenses, such as open source. This software is provided "as is," and unless otherwise stated, there is no warranty, express or implied, including but not limited to warranties of merchantability and fitness for a particular purpose. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or GNU General Public License (GPL) version 3.0 or the GNU Lesser General Public License (LGPL) Version 2.1 or Lesser General Public License (LGPL) Version 2.0. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://opensource.org/licenses/gpl-3.0.html and http://www.opensource.org/licenses/lgpl-2.1.php and http://www.gnu.org/licenses/old-licenses/library.txt. pcaswsp01#
Start Terminal
pcaswmn01# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Search for http string
pcaswmn01(config)# show running-config | include "ip http server" >> no rows selected
pcaswsp01(config)# show running-config | include "ip http secure-server"
>> no rows selected
Good News
On none of our CISCO switches is the web UI enabled, according the decision tree: The vulnerability is not exploitable. No further action is necessary. Check your system now!