Cisco IOS XE ROM Monitor Software for Catalyst Switches Information Disclosure Vulnerability

Vulnerability

The vulnerability resides in the password-recovery disable feature of Cisco IOS XE ROM Monitor (ROMMON) Software for Catalyst Switches. It is caused by incorrect file and boot variable permissions in ROMMON. Affected devices include Catalyst 3600 (ROMMON prior to 5.06), 3800 (prior to 5.08), 9200 (prior to 17.8.1r), 9300 (prior to 17.8.1r), 9400 (prior to 17.8.1r), 9500 (prior to 17.8.1r), and 9600 (prior to 17.8.1r) series switches running specific Cisco IOS XE versions. ROMMON is the bootstrap program that initializes hardware and boots Cisco IOS XE Software.

Exploitation

An unauthenticated attacker with physical or console access to the affected switch can exploit this vulnerability by rebooting the device into ROMMON mode and issuing specific commands. No authentication is required, but the attacker must be able to interact with the console during the boot process. The exact commands are not publicly detailed but are sufficient to read any file or reset the enable password.

Impact

Successful exploitation allows the attacker to read arbitrary files from the device's file system or reset the enable password without the original credentials. This could lead to full compromise of the switch, including disclosure of sensitive configuration data and unauthorized administrative access.

Mitigation

Cisco has released fixed ROMMON versions as part of Cisco IOS XE software updates. The first fixed ROMMON releases are: 5.06 for Catalyst 3600, 5.08 for Catalyst 3800, and 17.8.1r for Catalyst 9200, 9300, 9400, 9500, and 9600 series. Upgrade to the corresponding fixed Cisco IOS XE release (e.g., 16.12.7 for 3600/3800, 17.6.3 or 17.8.1 for 9200, 17.8.1 for others) which will automatically upgrade ROMMON on first boot, followed by a second reboot to activate the new ROMMON. No workarounds are available. [1]