Cisco is urging customers to install updates for a critical bug affecting its popular IOS XE operating system that powers millions of enterprise network devices around the world.
The bug has a rare Common Vulnerability Scoring System (CVSS) version 3 rating of 10 out of a possible 10 and allows anyone on the internet to bypass the login for an IOS XE device without the correct password.
The flaw tracked as CVE-2019-12643, affects Cisco’s REST application programming interface (API) virtual container for ISO XE and exists because the software doesn’t properly check the code that manages the API’s authentication service.
“An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device,” Cisco warns.
“A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device.”
Cisco says it has confirmed that the bug affects Cisco 4000 Series Integrated Services Routers, Cisco ASR 1000 Series Aggregation Services Routers, the Cisco Cloud Services Router 1000V Series, and the Cisco Integrated Services Virtual Router.
The good news is that the affected REST API virtual service container isn’t enabled by default and needs to be installed and activated separately on IOS XE devices.
However, if it is enabled, the underlying IOS XE device is vulnerable to the attack. The bug was found during internal testing and isn’t known to be currently under attack.
Cisco has provided command-line instructions for admins to check whether the REST API has been enabled or not. It’s also provided a list of vulnerable versions of the container.
Cisco’s REST API is an application that runs in a virtual container on a device and comes in the form of an open virtual application (OVA) with an .ova extension.
To cut off the attack vector, admins can delete Cisco’s REST API OVA package that in some cases can be bundled with the IO XE software image. However, Cisco also notes that the vulnerability can’t be fully mitigated with a workaround.
Cisco is recommending admins upgrade both the REST API virtual service container and IOS XE. The container version that is fixed is iosxe-remote-mgmt.16.09.03.ova.
Cisco also disclosed five high-severity flaws that affected its Unified Computing System Fabric Interconnect, NX-OS software and FXOS software.
Code Execution Vulnerability Identified in Change Healthcare Cardiology DevicesA vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated...
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most Targeted
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most TargetedThe digital and network footprint of small businesses is continually growing. Online commerce, social media, remote workers, and cloud-based IT infrastructure are...
What Other Companies Can Learn from Facebook’s $5 Billion Fine and Why Privacy MattersWhile Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade Commission (FTC), one must take into consideration that not every company is...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!