Cisco IOS XE Software Web UI Path Traversal Vulnerability
Cisco Security Advisory
Emergency Support:
+1 877 228 7302 (toll-free within North America)
+1 408 525 6532 (International direct-dial)
Non-emergency Support:
Email: psirt@cisco.com
Support requests that are received via e-mail are typically acknowledged within 48 hours.
Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.
More information can be found in Cisco Security Vulnerability Policy available at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
cisco-sa-webui-pthtrv-es7GSb9V
Final
1.0
1.0
2023-03-22T15:49:41
Initial public release.
2023-03-22T16:00:00
2023-03-22T16:00:00
TVCE
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to perform a directory traversal and access resources that are outside the filesystem mountpoint of the web UI.
This vulnerability is due to an insufficient security configuration. An attacker could exploit this vulnerability by sending a crafted request to the web UI. A successful exploit could allow the attacker to gain read access to files that are outside the filesystem mountpoint of the web UI.
Note: These files are located on a restricted filesystem that is maintained for the web UI. There is no ability to write to any files on this filesystem.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-pthtrv-es7GSb9V ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-pthtrv-es7GSb9V"]
This advisory is part of the March 2023 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2023 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication ["https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-74842"].
At the time of publication, this vulnerability affected Cisco IOS XE Software if it had the web UI enabled.
For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software ["#fs"] section of this advisory.
Determine the HTTP Server Configuration
To determine whether the HTTP Server feature is enabled for a device, log in to the device and use the show running-config | include ip http server|secure|active command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present, the HTTP Server feature is enabled for the device.
The following example shows the output of the show running-config | include ip http server|secure|active command for a device that has the HTTP Server feature enabled:
Router# show running-config | include ip http server|secure|active
ip http server
ip http secure-server
Note: The presence of either command or both commands in the device configuration indicates that the web UI feature is enabled.
If the ip http server command is present and the configuration also contains ip http active-session-modules none, the vulnerability is not exploitable over HTTP.
If the ip http secure-server command is present and the configuration also contains ip http secure-active-session-modules none, the vulnerability is not exploitable over HTTPS.
Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
IOS Software
IOS XR Software
Meraki products
NX-OS Software
There are no workarounds that address this vulnerability.
Disabling the HTTP Server feature eliminates the attack vector for this vulnerability and may be a suitable mitigation until affected devices can be upgraded. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker ["https://sec.cloudapps.cisco.com/security/center/softwarechecker.x"]. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies (“Combined First Fixed”).
To use the tool, go to the Cisco Software Checker ["https://sec.cloudapps.cisco.com/security/center/softwarechecker.x"] page and follow the instructions. Alternatively, use the following form to determine whether a release is affected by any Cisco Security Advisory. To use the form, follow these steps:
Choose which advisories the tool will search—only this advisory, only advisories with a Critical or High Security Impact Rating (SIR) ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#asr"], or all advisories.
Enter a release number—for example, 15.9(3)M2 or 17.3.3.
Click Check.
Only this advisory All Critical and High advisories All advisories
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Cisco would like to thank Elias Ikkelä-Koski for reporting this vulnerability.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-pthtrv-es7GSb9V
Cisco IOS XE Software Web UI Path Traversal Vulnerability
https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-74842
Cisco Event Response: March 2023 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication
Cisco IOS XE Software 16.1.1
Cisco IOS XE Software 16.1.2
Cisco IOS XE Software 16.1.3
Cisco IOS XE Software 16.2.1
Cisco IOS XE Software 16.2.2
Cisco IOS XE Software 16.3.1
Cisco IOS XE Software 16.3.2
Cisco IOS XE Software 16.3.3
Cisco IOS XE Software 16.3.1a
Cisco IOS XE Software 16.3.4
Cisco IOS XE Software 16.3.5
Cisco IOS XE Software 16.3.5b
Cisco IOS XE Software 16.3.6
Cisco IOS XE Software 16.3.7
Cisco IOS XE Software 16.3.8
Cisco IOS XE Software 16.3.9
Cisco IOS XE Software 16.3.10
Cisco IOS XE Software 16.3.11
Cisco IOS XE Software 16.4.1
Cisco IOS XE Software 16.4.2
Cisco IOS XE Software 16.4.3
Cisco IOS XE Software 16.5.1
Cisco IOS XE Software 16.5.1a
Cisco IOS XE Software 16.5.1b
Cisco IOS XE Software 16.5.2
Cisco IOS XE Software 16.5.3
Cisco IOS XE Software 16.6.1
Cisco IOS XE Software 16.6.2
Cisco IOS XE Software 16.6.3
Cisco IOS XE Software 16.6.4
Cisco IOS XE Software 16.6.5
Cisco IOS XE Software 16.6.4s
Cisco IOS XE Software 16.6.4a
Cisco IOS XE Software 16.6.5a
Cisco IOS XE Software 16.6.6
Cisco IOS XE Software 16.6.5b
Cisco IOS XE Software 16.6.7
Cisco IOS XE Software 16.6.7a
Cisco IOS XE Software 16.6.8
Cisco IOS XE Software 16.6.9
Cisco IOS XE Software 16.6.10
Cisco IOS XE Software 16.7.1
Cisco IOS XE Software 16.7.1a
Cisco IOS XE Software 16.7.1b
Cisco IOS XE Software 16.7.2
Cisco IOS XE Software 16.7.3
Cisco IOS XE Software 16.7.4
Cisco IOS XE Software 16.8.1
Cisco IOS XE Software 16.8.1a
Cisco IOS XE Software 16.8.1b
Cisco IOS XE Software 16.8.1s
Cisco IOS XE Software 16.8.1c
Cisco IOS XE Software 16.8.1d
Cisco IOS XE Software 16.8.2
Cisco IOS XE Software 16.8.1e
Cisco IOS XE Software 16.8.3
Cisco IOS XE Software 16.9.1
Cisco IOS XE Software 16.9.2
Cisco IOS XE Software 16.9.1a
Cisco IOS XE Software 16.9.1b
Cisco IOS XE Software 16.9.1s
Cisco IOS XE Software 16.9.1c
Cisco IOS XE Software 16.9.1d
Cisco IOS XE Software 16.9.3
Cisco IOS XE Software 16.9.2a
Cisco IOS XE Software 16.9.2s
Cisco IOS XE Software 16.9.3h
Cisco IOS XE Software 16.9.4
Cisco IOS XE Software 16.9.3s
Cisco IOS XE Software 16.9.3a
Cisco IOS XE Software 16.9.4c
Cisco IOS XE Software 16.9.5
Cisco IOS XE Software 16.9.5f
Cisco IOS XE Software 16.9.6
Cisco IOS XE Software 16.9.7
Cisco IOS XE Software 16.9.8
Cisco IOS XE Software 16.9.8a
Cisco IOS XE Software 16.9.8b
Cisco IOS XE Software 16.9.8c
Cisco IOS XE Software 16.10.1
Cisco IOS XE Software 16.10.1a
Cisco IOS XE Software 16.10.1b
Cisco IOS XE Software 16.10.1s
Cisco IOS XE Software 16.10.1c
Cisco IOS XE Software 16.10.1e
Cisco IOS XE Software 16.10.1d
Cisco IOS XE Software 16.10.2
Cisco IOS XE Software 16.10.1f
Cisco IOS XE Software 16.10.1g
Cisco IOS XE Software 16.10.3
Cisco IOS XE Software 16.11.1
Cisco IOS XE Software 16.11.1a
Cisco IOS XE Software 16.11.1b
Cisco IOS XE Software 16.11.2
Cisco IOS XE Software 16.11.1s
Cisco IOS XE Software 16.11.1c
Cisco IOS XE Software 16.12.1
Cisco IOS XE Software 16.12.1s
Cisco IOS XE Software 16.12.1a
Cisco IOS XE Software 16.12.1c
Cisco IOS XE Software 16.12.1w
Cisco IOS XE Software 16.12.2
Cisco IOS XE Software 16.12.1y
Cisco IOS XE Software 16.12.2a
Cisco IOS XE Software 16.12.3
Cisco IOS XE Software 16.12.8
Cisco IOS XE Software 16.12.2s
Cisco IOS XE Software 16.12.1x
Cisco IOS XE Software 16.12.1t
Cisco IOS XE Software 16.12.2t
Cisco IOS XE Software 16.12.4
Cisco IOS XE Software 16.12.3s
Cisco IOS XE Software 16.12.1z
Cisco IOS XE Software 16.12.3a
Cisco IOS XE Software 16.12.4a
Cisco IOS XE Software 16.12.5
Cisco IOS XE Software 16.12.6
Cisco IOS XE Software 16.12.1z1
Cisco IOS XE Software 16.12.5a
Cisco IOS XE Software 16.12.5b
Cisco IOS XE Software 16.12.1z2
Cisco IOS XE Software 16.12.6a
Cisco IOS XE Software 16.12.7
Cisco IOS XE Software 17.1.1
Cisco IOS XE Software 17.1.1a
Cisco IOS XE Software 17.1.1s
Cisco IOS XE Software 17.1.2
Cisco IOS XE Software 17.1.1t
Cisco IOS XE Software 17.1.3
Cisco IOS XE Software 17.2.1
Cisco IOS XE Software 17.2.1r
Cisco IOS XE Software 17.2.1a
Cisco IOS XE Software 17.2.1v
Cisco IOS XE Software 17.2.2
Cisco IOS XE Software 17.2.3
Cisco IOS XE Software 17.3.1
Cisco IOS XE Software 17.3.2
Cisco IOS XE Software 17.3.3
Cisco IOS XE Software 17.3.1a
Cisco IOS XE Software 17.3.1w
Cisco IOS XE Software 17.3.2a
Cisco IOS XE Software 17.3.1x
Cisco IOS XE Software 17.3.1z
Cisco IOS XE Software 17.3.3a
Cisco IOS XE Software 17.3.4
Cisco IOS XE Software 17.3.5
Cisco IOS XE Software 17.3.4a
Cisco IOS XE Software 17.3.6
Cisco IOS XE Software 17.3.4b
Cisco IOS XE Software 17.3.4c
Cisco IOS XE Software 17.3.5a
Cisco IOS XE Software 17.3.5b
Cisco IOS XE Software 17.4.1
Cisco IOS XE Software 17.4.2
Cisco IOS XE Software 17.4.1a
Cisco IOS XE Software 17.4.1b
Cisco IOS XE Software 17.4.1c
Cisco IOS XE Software 17.4.2a
Cisco IOS XE Software 17.5.1
Cisco IOS XE Software 17.5.1a
Cisco IOS XE Software 17.6.1
Cisco IOS XE Software 17.6.2
Cisco IOS XE Software 17.6.1w
Cisco IOS XE Software 17.6.1a
Cisco IOS XE Software 17.6.1x
Cisco IOS XE Software 17.6.3
Cisco IOS XE Software 17.6.1y
Cisco IOS XE Software 17.6.1z
Cisco IOS XE Software 17.6.3a
Cisco IOS XE Software 17.6.4
Cisco IOS XE Software 17.6.1z1
Cisco IOS XE Software 17.7.1
Cisco IOS XE Software 17.7.1a
Cisco IOS XE Software 17.7.1b
Cisco IOS XE Software 17.7.2
Cisco IOS XE Software 17.8.1
Cisco IOS XE Software 17.8.1a
Cisco IOS XE Software 17.9.1
Cisco IOS XE Software 17.9.1w
Cisco IOS XE Software 17.9.1a
Cisco IOS XE Software
Cisco IOS XE Software WebUI Path Traversal Vulnerability
CSCwc76009
CSCwc76009
Complete.
CVE-2023-20066
CVRFPID-212436
CVRFPID-213100
CVRFPID-213809
CVRFPID-213960
CVRFPID-214051
CVRFPID-214993
CVRFPID-217253
CVRFPID-217255
CVRFPID-217256
CVRFPID-217257
CVRFPID-217259
CVRFPID-218901
CVRFPID-218903
CVRFPID-218905
CVRFPID-220802
CVRFPID-222711
CVRFPID-225784
CVRFPID-225856
CVRFPID-225858
CVRFPID-226330
CVRFPID-227918
CVRFPID-227920
CVRFPID-228706
CVRFPID-229124
CVRFPID-229187
CVRFPID-231187
CVRFPID-231389
CVRFPID-231390
CVRFPID-231667
CVRFPID-231682
CVRFPID-232008
CVRFPID-232461
CVRFPID-232767
CVRFPID-233155
CVRFPID-235307
CVRFPID-235858
CVRFPID-236834
CVRFPID-236837
CVRFPID-237460
CVRFPID-239264
CVRFPID-241736
CVRFPID-242308
CVRFPID-242834
CVRFPID-243362
CVRFPID-244070
CVRFPID-244071
CVRFPID-244530
CVRFPID-244900
CVRFPID-245375
CVRFPID-245377
CVRFPID-247629
CVRFPID-248242
CVRFPID-249171
CVRFPID-250629
CVRFPID-251075
CVRFPID-251165
CVRFPID-251166
CVRFPID-251225
CVRFPID-252045
CVRFPID-252235
CVRFPID-252271
CVRFPID-252272
CVRFPID-252913
CVRFPID-252914
CVRFPID-254688
CVRFPID-254712
CVRFPID-257955
CVRFPID-257984
CVRFPID-258170
CVRFPID-258229
CVRFPID-258388
CVRFPID-258900
CVRFPID-260741
CVRFPID-260917
CVRFPID-261240
CVRFPID-261241
CVRFPID-261465
CVRFPID-262389
CVRFPID-262390
CVRFPID-262549
CVRFPID-262588
CVRFPID-262590
CVRFPID-262592
CVRFPID-262595
CVRFPID-263804
CVRFPID-264096
CVRFPID-265735
CVRFPID-265841
CVRFPID-266259
CVRFPID-267110
CVRFPID-267240
CVRFPID-267605
CVRFPID-268921
CVRFPID-270097
CVRFPID-271798
CVRFPID-271938
CVRFPID-272047
CVRFPID-272932
CVRFPID-273112
CVRFPID-273445
CVRFPID-273448
CVRFPID-273509
CVRFPID-273563
CVRFPID-273649
CVRFPID-274818
CVRFPID-274832
CVRFPID-275538
CVRFPID-276837
CVRFPID-277099
CVRFPID-277147
CVRFPID-277148
CVRFPID-277194
CVRFPID-277255
CVRFPID-277256
CVRFPID-277321
CVRFPID-277338
CVRFPID-277343
CVRFPID-277348
CVRFPID-277357
CVRFPID-277945
CVRFPID-278002
CVRFPID-278019
CVRFPID-278020
CVRFPID-278023
CVRFPID-278025
CVRFPID-278402
CVRFPID-278504
CVRFPID-278881
CVRFPID-279338
CVRFPID-279339
CVRFPID-280463
CVRFPID-280555
CVRFPID-280651
CVRFPID-280652
CVRFPID-280770
CVRFPID-280783
CVRFPID-280801
CVRFPID-280899
CVRFPID-280937
CVRFPID-280938
CVRFPID-280939
CVRFPID-281320
CVRFPID-281331
CVRFPID-281438
CVRFPID-281654
CVRFPID-282017
CVRFPID-282028
CVRFPID-282046
CVRFPID-282115
CVRFPID-282116
CVRFPID-282117
CVRFPID-283831
CVRFPID-283835
CVRFPID-284161
CVRFPID-284178
CVRFPID-284179
CVRFPID-284331
CVRFPID-284740
CVRFPID-285325
CVRFPID-285326
CVRFPID-285327
CVRFPID-285328
CVRFPID-285329
CVRFPID-286031
CVRFPID-286409
CVRFPID-286410
CVRFPID-286477
CVRFPID-286486
CVRFPID-286498
CVRFPID-286534
CVRFPID-286544
CVRFPID-286594
CVRFPID-286802
CVRFPID-287087
CVRFPID-287125
CVRFPID-288247
CVRFPID-290562
CVRFPID-290565
CVRFPID-290669
CVRFPID-294839
CVRFPID-93036
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
There are no workarounds that address this vulnerability.
Disabling the HTTP Server feature eliminates the attack vector for this vulnerability and may be a suitable mitigation until affected devices can be upgraded. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-pthtrv-es7GSb9V
Cisco IOS XE Software Web UI Path Traversal Vulnerability