Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.4845 Cisco IOS XE ROM Monitor Software for Catalyst Switches Information Disclosure Vulnerability 29 September 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Catalyst 3600 Series Switches Catalyst 3800 Series Switches Catalyst 9300 Series Switches Catalyst 9400 Series Switches Catalyst 9500 Series Switches Catalyst 9600 Series Switches Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20864 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-info-disc-nrORXjO Comment: CVSS (Max): 4.6 CVE-2022-20864 (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS XE ROM Monitor Software for Catalyst Switches Information Disclosure Vulnerability Priority: Medium Advisory ID: cisco-sa-iosxe-info-disc-nrORXjO First Published: 2022 September 28 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvx64514 CSCvx88952 CSCwa53008 CSCwa58212 CVE Names: CVE-2022-20864 CWEs: CWE-538 Summary o A vulnerability in the password-recovery disable feature of Cisco IOS XE ROM Monitor (ROMMON) Software for Cisco Catalyst Switches could allow an unauthenticated, local attacker to recover the configuration or reset the enable password. This vulnerability is due to a problem with the file and boot variable permissions in ROMMON. An attacker could exploit this vulnerability by rebooting the switch into ROMMON and entering specific commands through the console. A successful exploit could allow the attacker to read any file or reset the enable password. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-info-disc-nrORXjO Affected Products o Vulnerable Products At the time of publication, this vulnerability affected the following Cisco products if they were running a vulnerable release of Cisco IOS XE ROMMON Software and had the password-recovery disable feature enabled: Catalyst 3600 Series Switches Catalyst 3800 Series Switches Catalyst 9200 Series Switches Catalyst 9300 Series Switches Catalyst 9400 Series Switches Catalyst 9500 Series Switches Catalyst 9600 Series Switches For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Determine the Cisco IOS XE ROMMON Software Release To determine which Cisco IOS XE ROMMON Software release is running on a device, log in to the device and use the show version | include BOOTLDR CLI command. The following example shows the output of this command for a device that is running Cisco IOS XE ROMMON Software Release 17.5.1r: Switch# show version | include BOOTLDR BOOTLDR: System Bootstrap, Version 17.5.1r [FC4], RELEASE SOFTWARE (P) Determine Whether the Password-Recovery Disable Feature is Enabled To determine whether the password-recovery disable feature is enabled, log in to the device and use the show romvar | include SWITCH_DISABLE_PASSWORD_RECOVERY CLI command. The following example shows the output of a device that has the password-recovery disable feature enabled (SWITCH_DISABLE_PASSWORD_RECOVERY value is "1"): Switch# show romvar | include SWITCH_DISABLE_PASSWORD_RECOVERY SWITCH_DISABLE_PASSWORD_RECOVERY="1" If the value is "0" or the SWITCH_DISABLE_PASSWORD_RECOVERY is not shown in the show romvar CLI command, the password-recovery disable feature is not enabled. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS Software IOS XR Software Meraki products NX-OS Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, the release information in the following table (s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Cisco Device First Fixed Cisco IOS XE First Fixed Cisco IOS XE ROMMON Software Release Software Release Catalyst 3600 5.08 16.12.7 Series Switches Catalyst 3800 5.08 16.12.7 Series Switches Catalyst 9200 17.8.1r 17.6.3 and 17.8.1 Series Switches Catalyst 9300 17.8.1r 17.8.1 Series Switches Catalyst 9400 17.8.1r 17.8.1 Series Switches Catalyst 9500 17.8.1r 17.8.1 Series Switches Catalyst 9600 17.8.1r 17.8.1 Series Switches ROMMON software is a bootstrap program that initializes the hardware and boots Cisco IOS XE Software when a device is powered on or reloaded. ROMMON software is bundled with the Cisco IOS XE binary, which can be downloaded from the Software Center on Cisco.com. It is not available as a standalone binary. Customers who want to upgrade ROMMON to a fixed release will need to upgrade the Cisco IOS XE Software to a fixed release. On first boot, Cisco IOS XE Software will check the installed ROMMON release and upgrade it to the included release if the device is running an older release. A second reboot will be required to activate the upgraded ROMMON. The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Exploitation and Public Announcements o The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the investigation of a TAC Service Request. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-info-disc-nrORXjO Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-SEP-28 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYzUrm8kNZI30y1K9AQiX3RAAm3Rz2rGoHwEC+K90+eCmmPLCV14lp6Y3 8W4bGcyhstd5K9IEXc00ddic+0h5VTcICWDqBX9uLgZpmr0dpTYWOcbabTSdn/44 Qt2SbCPZXst4ma96IsO55ZZ9ZYahyY7EHJCINvO6T6NflhR/vhceTF5MP/DRiSy+ NrZ/2PsHSA6C2229o4V2JM/Yo8Wt8bCQCIQ9gwZVACfcdLq/BNxD3ahaURsyjWL2 tZihUFOiN4I+P2Pb0vQT+kSe2Dgg6vlcwnCdIHVy7JOp8UUAVUMZCcQu08HMWsgM nQM1ACpmXBKl4A+Y27+oVRFQlfQ5NjAnHEdpRzMTCvzWGU9pA8j/XzNOc4D98EZB 9cqlNGrijkMtEFISy48B1DaAWtKUtoQcOrt3dsnYbkZbm0RAJ1jJ9OwJd/0257On kQA+pXidDFpbiMeM/dHyX5UBckuBauX4PR+pRa7RzcYzDv8qJJcIJY1TKMcHBWH8 pK4+qrSSdEJzhF5I80INlnhAIyCgQUA+wVuCJfeJKtS26Oucu1yK5j7HUGPWVJAh jgVGlqdm17/EPvsoJV7ePFB00uKyZOIajkzlPTuu3Tfhpz6egAnVY88Yh270NrWE xQhrbzam7YzuGWRtvFZiPJb65abU/2zBFJ79K6gskMrOwUcTduNcdJ6dTsoraRGn 7BRS3bBgW7U= =LOan -----END PGP SIGNATURE-----