Cisco Releases Patch To Address Critical Bug In IOS XE Devices


Cisco has discovered a vulnerability that leaves devices running its IOS XE operating system open to malicious attacks. Cisco is urging customers to install updates for a critical bug affecting its popular operating system that powers millions of enterprise network devices around the world.

The vulnerability, known as CVE-2019-12643, allows attackers to bypass authentication checks and execute privileged commands on a device running Cisco IOS XE, the operating system installed on Cisco’s enterprise network devices.

The problem starts with an improper authentication check performed by the area of code that manages the REST API, an alternative method for provisioning certain functions on Cisco devices, running in a virtual services container.

The vulnerability can be exploited if an attackers sends specifically crafted HTTP requests to a vulnerable device, exposing an authenticated users’ token-id and allowing them to skip the authentication check with a password.

The bug affects a number of Cisco devices Cisco 400 Series Integrated Services Routers, Cisco ASR 1000 Series Aggregation Service Routers, Cisco Cloud Services Router 1000V Series and Cisco Integrated Services Virtual Router.

“On August 28, Cisco released 10 advisories to address vulnerabilities across multiple products, including Cisco NX-OS and FXOS, Nexus 9000 Series Fabric Switches and Unified Computing System (UCS) Fabric. The most severe vulnerability, which Cisco rates as critical, exists in the REST API Container for Cisco IOS XE,” informed Satnam Narang, Sr. Security Response Manager at Tenable, on the company’s official blog. 

Cisco gave the vulnerability a CVSS rating (common vulnerability score system) of 10 out of 10, the highest possible score, ranking the bug as ‘critical’. Despite its severity, Cisco noted that specific requirements need to be met for an attacker to actually exploit the bug.

The device needs to be running an affected Cisco IOS XE software release, have the REST API installed and enabled (it’s disabled by default) and an authorized user with admin credentials up to level 15 needs to be authenticated to the REST API interface.

For the vulnerability in the REST API Container for Cisco IOS XE, Cisco released iosxe-remote-mgmt.16.03.03.ova, a fixed version of the virtual service container. They also released updates to IOS XE with additional safeguards to prevent a vulnerable open virtual format (OVA) package from being installed.

Scott Caveza, the research engineering manager at Tenable said, “The critical authentication bypass flaw in Cisco IOS XE could be exploited by an unauthenticated, remote attacker sending specially crafted HTTP requests to a vulnerable device, resulting in the exposure of an authenticated users’ token-id. While the flaw is critical, it’s important to note there are a number of requirements for successful exploitation, including the device has both installed and enabled an affected version of the Cisco REST API virtual service container.”
“In addition, a user must be logged into the device in order to obtain the token-id. Cisco has released iosxe-remote-mgmt.16.03.03.ova, a fixed version of the virtual service container, as well as implemented additional safeguards in updated IOS XE versions,” he said.

Leave a Response