Cisco IOS and IOS XE Software Network Plug-and-Play Agent Certificate Validation Vulnerability

Vulnerability

The vulnerability resides in the Cisco Network Plug-and-Play (PnP) agent of Cisco IOS Software and Cisco IOS XE Software. The affected software insufficiently validates certificates, allowing an attacker to supply a crafted certificate. The PnP agent is enabled by default on all platforms but is only initiated when the startup configuration is absent or a PnP profile has been configured and activated via the CLI. Administrators can check for a configured profile using the show pnp profile command. For a complete list of vulnerable releases, refer to the Fixed Software section of the Cisco advisory [1].

Exploitation

An unauthenticated, remote attacker can exploit this vulnerability by supplying a crafted certificate to an affected device. No authentication or prior access is required. The attacker must be able to intercept or redirect network traffic to the device to perform a man-in-the-middle attack. The exploitation does not require user interaction beyond the normal operation of the PnP agent.

Impact

Successful exploitation allows the attacker to conduct man-in-the-middle attacks, enabling decryption and modification of confidential information on user connections to the affected software. This compromises both confidentiality and integrity of data transmitted through the PnP agent.

Mitigation

Cisco has released fixed software versions for both Cisco IOS and IOS XE Software. The specific fixed releases are detailed in the Cisco Security Advisory [1]. As a workaround, administrators can disable the PnP agent if it is not required. No known exploitation in the wild or inclusion in the CISA KEV catalog has been reported at the time of publication.