Cisco IOS XE Privilege Escalation Vulnerability – Is my Oracle Private Cloud Appliance X9-2 affected?

Martin Berger

At 16th of October, Cisco made a vulnerability public which affects Cisco IOS XE components – Cisco IOS XE Software Web UI Privilege Escalation Vulnerability. According the notes:

This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.

Vulnerable products are components where the web UI feature is enable.

Components

The Oracle Orivate Cloud Appliance X9-2 contains several Cisco components – see: VPAT – Oracle Private Cloud Appliance X9-2:

  • 4 Cisco Nexus 9336C Switch (2x Spine / 2x Leaf)
  • 1 Cisco Nexus 9348 Switch (Management)

Decision Tree

The provided decision tree:

Verification

Let’s check the PCA components. Repeat the steps for all components according the IP list.

SwitchNameIP
Managementpcaswmn01 100.96.2.1
Spinepcaswsp01100.96.2.20
Spinepcaswsp02100.96.2.21
Leafpcaswlf01100.96.2.22
Leafpcaswlf02100.96.2.23

Login as admin User

Example Management Switch.

[root@pcamn01 ~]# ssh admin@100.96.2.20
Warning: Permanently added '100.96.2.20' (RSA) to the list of known hosts.
User Access Verification

Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (C) 2002-2019, Cisco and/or its affiliates.
All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under their own
licenses, such as open source.  This software is provided "as is," and unless
otherwise stated, there is no warranty, express or implied, including but not
limited to warranties of merchantability and fitness for a particular purpose.
Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or
GNU General Public License (GPL) version 3.0  or the GNU
Lesser General Public License (LGPL) Version 2.1 or
Lesser General Public License (LGPL) Version 2.0.
A copy of each such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://opensource.org/licenses/gpl-3.0.html and
http://www.opensource.org/licenses/lgpl-2.1.php and
http://www.gnu.org/licenses/old-licenses/library.txt.
pcaswsp01#

Start Terminal

pcaswmn01# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Search for http string

pcaswmn01(config)# show running-config | include "ip http server"
>> no rows selected

pcaswsp01(config)# show running-config | include "ip http secure-server"
>> no rows selected

Good News

On none of our CISCO switches is the web UI enabled, according the decision tree: The vulnerability is not exploitable. No further action is necessary. Check your system now!