-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4845
          Cisco IOS XE ROM Monitor Software for Catalyst Switches
                   Information Disclosure Vulnerability
                             29 September 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Catalyst 3600 Series Switches
                   Catalyst 3800 Series Switches
                   Catalyst 9300 Series Switches
                   Catalyst 9400 Series Switches
                   Catalyst 9500 Series Switches
                   Catalyst 9600 Series Switches
Publisher:         Cisco Systems
Operating System:  Cisco
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-20864  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-info-disc-nrORXjO

Comment: CVSS (Max):  4.6 CVE-2022-20864 (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
         CVSS Source: Cisco Systems
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco IOS XE ROM Monitor Software for Catalyst Switches Information Disclosure
Vulnerability

Priority:        Medium
Advisory ID:     cisco-sa-iosxe-info-disc-nrORXjO
First Published: 2022 September 28 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvx64514 CSCvx88952 CSCwa53008 CSCwa58212
CVE Names:       CVE-2022-20864
CWEs:            CWE-538

Summary

  o A vulnerability in the password-recovery disable feature of Cisco IOS XE
    ROM Monitor (ROMMON) Software for Cisco Catalyst Switches could allow an
    unauthenticated, local attacker to recover the configuration or reset the
    enable password.

    This vulnerability is due to a problem with the file and boot variable
    permissions in ROMMON. An attacker could exploit this vulnerability by
    rebooting the switch into ROMMON and entering specific commands through the
    console. A successful exploit could allow the attacker to read any file or
    reset the enable password.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-info-disc-nrORXjO

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected the following Cisco
    products if they were running a vulnerable release of Cisco IOS XE ROMMON
    Software and had the password-recovery disable feature enabled:

       Catalyst 3600 Series Switches
       Catalyst 3800 Series Switches
       Catalyst 9200 Series Switches
       Catalyst 9300 Series Switches
       Catalyst 9400 Series Switches
       Catalyst 9500 Series Switches
       Catalyst 9600 Series Switches

    For information about which Cisco software releases were vulnerable at the
    time of publication, see the Fixed Software section of this advisory. See
    the Details section in the bug ID(s) at the top of this advisory for the
    most complete and current information.

    Determine the Cisco IOS XE ROMMON Software Release

    To determine which Cisco IOS XE ROMMON Software release is running on a
    device, log in to the device and use the show version | include BOOTLDR CLI
    command. The following example shows the output of this command for a
    device that is running Cisco IOS XE ROMMON Software Release 17.5.1r:

        Switch# show version | include BOOTLDR
        BOOTLDR: System Bootstrap, Version 17.5.1r [FC4], RELEASE SOFTWARE (P)

    Determine Whether the Password-Recovery Disable Feature is Enabled

    To determine whether the password-recovery disable feature is enabled, log
    in to the device and use the show romvar | include
    SWITCH_DISABLE_PASSWORD_RECOVERY CLI command. The following example shows
    the output of a device that has the password-recovery disable feature
    enabled (SWITCH_DISABLE_PASSWORD_RECOVERY value is "1"):

        Switch# show romvar | include SWITCH_DISABLE_PASSWORD_RECOVERY
        SWITCH_DISABLE_PASSWORD_RECOVERY="1"

    If the value is "0" or the SWITCH_DISABLE_PASSWORD_RECOVERY is not shown in
    the show romvar CLI command, the password-recovery disable feature is not
    enabled.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       IOS Software
       IOS XR Software
       Meraki products
       NX-OS Software

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, the release information in the following table
    (s) was accurate. See the Details section in the bug ID(s) at the top of
    this advisory for the most complete and current information.

    Cisco Device       First Fixed Cisco IOS XE       First Fixed Cisco IOS XE
                       ROMMON Software Release        Software Release
    Catalyst 3600      5.08                           16.12.7
    Series Switches
    Catalyst 3800      5.08                           16.12.7
    Series Switches
    Catalyst 9200      17.8.1r                        17.6.3 and 17.8.1
    Series Switches
    Catalyst 9300      17.8.1r                        17.8.1
    Series Switches
    Catalyst 9400      17.8.1r                        17.8.1
    Series Switches
    Catalyst 9500      17.8.1r                        17.8.1
    Series Switches
    Catalyst 9600      17.8.1r                        17.8.1
    Series Switches

    ROMMON software is a bootstrap program that initializes the hardware and
    boots Cisco IOS XE Software when a device is powered on or reloaded. ROMMON
    software is bundled with the Cisco IOS XE binary, which can be downloaded
    from the Software Center on Cisco.com. It is not available as a standalone
    binary.

    Customers who want to upgrade ROMMON to a fixed release will need to
    upgrade the Cisco IOS XE Software to a fixed release. On first boot, Cisco
    IOS XE Software will check the installed ROMMON release and upgrade it to
    the included release if the device is running an older release. A second
    reboot will be required to activate the upgraded ROMMON.

    The Cisco Product Security Incident Response Team (PSIRT) validates only
    the affected and fixed release information that is documented in this
    advisory.

Exploitation and Public Announcements

  o The Cisco PSIRT is not aware of any public announcements or malicious use
    of the vulnerability that is described in this advisory.

Source

  o This vulnerability was found during the investigation of a TAC Service
    Request.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o 

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-info-disc-nrORXjO

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2022-SEP-28  |
    +----------+---------------------------+----------+--------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYzUrm8kNZI30y1K9AQiX3RAAm3Rz2rGoHwEC+K90+eCmmPLCV14lp6Y3
8W4bGcyhstd5K9IEXc00ddic+0h5VTcICWDqBX9uLgZpmr0dpTYWOcbabTSdn/44
Qt2SbCPZXst4ma96IsO55ZZ9ZYahyY7EHJCINvO6T6NflhR/vhceTF5MP/DRiSy+
NrZ/2PsHSA6C2229o4V2JM/Yo8Wt8bCQCIQ9gwZVACfcdLq/BNxD3ahaURsyjWL2
tZihUFOiN4I+P2Pb0vQT+kSe2Dgg6vlcwnCdIHVy7JOp8UUAVUMZCcQu08HMWsgM
nQM1ACpmXBKl4A+Y27+oVRFQlfQ5NjAnHEdpRzMTCvzWGU9pA8j/XzNOc4D98EZB
9cqlNGrijkMtEFISy48B1DaAWtKUtoQcOrt3dsnYbkZbm0RAJ1jJ9OwJd/0257On
kQA+pXidDFpbiMeM/dHyX5UBckuBauX4PR+pRa7RzcYzDv8qJJcIJY1TKMcHBWH8
pK4+qrSSdEJzhF5I80INlnhAIyCgQUA+wVuCJfeJKtS26Oucu1yK5j7HUGPWVJAh
jgVGlqdm17/EPvsoJV7ePFB00uKyZOIajkzlPTuu3Tfhpz6egAnVY88Yh270NrWE
xQhrbzam7YzuGWRtvFZiPJb65abU/2zBFJ79K6gskMrOwUcTduNcdJ6dTsoraRGn
7BRS3bBgW7U=
=LOan
-----END PGP SIGNATURE-----