On April 5, 2023, Cisco issued an urgent security advisory to address multiple command injection vulnerabilities identified in several of its key products: the Cisco Evolved Programmable Network Manager (EPNM), Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure. These vulnerabilities could be exploited by an authenticated, local attacker to bypass the restricted shell and obtain root privileges on the operating system of the affected device.
The vulnerabilities affect different Cisco products:
- CVE-2023-20121 affects Cisco EPNM, Cisco ISE, and Cisco Prime Infrastructure.
- CVE-2023-20122 specifically affects Cisco ISE.
The vulnerabilities are not dependent on one another, meaning that exploitation of one does not require exploitation of the other. Additionally, a software release that is affected by one of the vulnerabilities may not necessarily be affected by the other.
In response to these critical security flaws, Cisco has released software updates that successfully address the vulnerabilities. Cisco has confirmed that no workarounds are available, making it essential for users to apply the provided security fixes as soon as possible.
The fixed software release versions are as follows:
- Cisco EPNM: Users running version 7.0.0 and earlier should update to version 7.0.1, which is scheduled for release in July 2023.
- Cisco ISE: Users running version 3.2 should update to version 3.2P1. Cisco ISE version 3.1 is not vulnerable.
- Cisco Prime Infrastructure: Users running version 3.9 and earlier are advised to migrate to a fixed release. Users running version 3.10 should update to version 3.10.4, which is set for release in May 2023.
As of the publication date of the advisory, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities described in the advisory.
Cisco has expressed its gratitude to Sean Morland of NCC Group FSAS for discovering and reporting the vulnerabilities. Additional credit was given to Andrew Kim and X.B. of the Cisco Advanced Security Initiatives Group (ASIG) for their contributions.
Cisco customers are strongly urged to review the security advisory and take immediate action to secure their systems by applying the necessary software updates. The vulnerabilities highlight the importance of proactive cybersecurity measures and the need for regular software updates to protect against potential exploitation