Headline
CVE-2023-20046: Cisco StarOS - SSH vulnerability (CVE-2023-20046)
A vulnerability in the key-based SSH authentication feature of Cisco StarOS Software could allow an authenticated, remote attacker to elevate privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied credentials. An attacker could exploit this vulnerability by sending a valid low-privileged SSH key to an affected device from a host that has an IP address that is configured as the source for a high-privileged user account. A successful exploit could allow the attacker to log in to the affected device through SSH as a high-privileged user. There are workarounds that address this vulnerability.
Overview
From GGSN/SPGW mobile core network device, running on StarOS, an attacker with a account allowed to connect to device through a valid SSH key could connect to any user account defined with SSH key authentication method.
Details
Knowning a user with high-privilege allowed to connect to the device via SSH Key method, a low privilege user could gain privilege access to the affected device.
Affected versions
GGSN / SPGW on mobile core network
- ASR5000: R21.22, R21.27
- vPoP: R21.22, R21.28
Proof of Concept
See the figure
1- Theft of SSH key of a user (with low-privilege) allowed to connect to the device
2- Known a user (with high-privilege) allowed to connect to the device via SSH Key method
2- Launch SSH connection as usurped user account using SSH key low-privilege
Solution****Security patch
Upgrade to patched Cisco StarOS release, as described in Cisco Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-20046
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-staros-ssh-privesc-BmWeJC3h
Credits
Orange CERT-CC
Adrien MOURIER at Orange group
Timeline
Date reported: December 15, 2022
Date fixed: April 19, 2023