Cisco bug gives remote attackers root privileges via debug mode

Cisco has fixed a critical security flaw discovered in the Cisco Redundancy Configuration Manager (RCM) for Cisco StarOS Software during internal security testing.

The vulnerability, tracked as CVE-2022-20649, enables unauthenticated attackers to gain remote code execution (RCE) with root-level privileges on devices running the vulnerable software.

"A vulnerability in Cisco RCM for Cisco StarOS Software could allow an unauthenticated, remote attacker to perform remote code execution on the application with root-level privileges in the context of the configured container," Cisco said.

As the company further explains, the vulnerability exists due to the debug mode being incorrectly enabled for specific services.

"An attacker could exploit this vulnerability by connecting to the device and navigating to the service with debug mode enabled. A successful exploit could allow the attacker to execute arbitrary commands as the root user," Cisco added.

However, for unauthenticated access to devices running unpatched software, the attackers would first need to perform detailed reconnaissance to discover the vulnerable services.

No in-the-wild exploitation

Cisco's Product Security Incident Response Team (PSIRT) said that the company is not aware of exploitation of this vulnerability in ongoing attacks.

Today, Cisco also fixed a medium severity information disclosure bug (CVE-2022-20648) in the Cisco RCM for Cisco StarOS caused by a debug service incorrectly listening to and accepting incoming connections.

Remote attackers could exploit this second bug by executing debug commands after connecting to the debug port. Successful exploitation could allow them to access sensitive debugging information on the vulnerable device.

The company has released Cisco RCM for StarOS 21.25.4, which comes with security updates to address these flaws and is available through the Software Center on Cisco.com.

Last year, Cisco patched several other vulnerabilities that allow threat actors to execute code and commands remotely with root privileges.

For instance, it addressed critical pre-authentication RCE flaw impacting SD-WAN vManage that could enable threat actors to get root privileges on the underlying OS in May. Another pre-auth bug in the same software, allowing attackers to gain RCE as root, was fixed in April.