In several series of Cisco IOS XE routers has been discovered critical vulnerability. This is a rare case when a vulnerability is rated at 10 out of 10 on a threat scale.Cisco Systems strongly recommends urgently installing a patch on routers running the IOS XE operating system. The vulnerability CVE-2019-12643, which eliminates this patch, received a rare 10 points out of 10 possible on the CVSS threat scale.
The vulnerability itself was identified in the Cisco REST virtual container API. Thanks to it, an attacker can very easily bypass authorization on a Cisco IOS XE device.
The problem is in insufficient code verification in the authorization service of the software component.
“A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device”, — report in Cisco company.
Despite the fact that the vulnerability is considered “absolutely critical”, there are a number of nuances that somewhat reduce its threat.
In particular, the REST API is inactive by default. It must be specially installed and activated on devices running iOS XE, otherwise the vulnerability will not work.
The Cisco description says that when the REST Container Services API is activated, the entire device is vulnerable. Therefore, the manufacturer released not only a fixed version of the REST API, but also a “strengthened” version of Cisco IOS XE, which will prevent the installation or activation of a vulnerable version of the container or deactivate it if it is installed and activated earlier.
Cisco’s REST API – an application that runs in a virtual container on a device and comes in the form of an open virtual application (OVA) with an .ova extension.
At the moment, it is known for certain that the vulnerability affects the routers of the following series 4000, ASR 1000 1000V. Vulnerable are also virtual routers (Cisco Integrated Services Virtual Router).
“Cisco routers are among the most popular devices of this kind in the world, so any vulnerability in them poses an increased threat. 10 out of 10 points, however, is pretty rare: this should mean that the exploitation of the vulnerability is extremely simple and that as a result the attacker gains full control over the device. In any case, the released patch should be installed as quickly as possible”, — the security experts from Cisco advise.
To cut off the attack vector, admins also can delete Cisco’s REST API OVA package that in some cases can be bundled with the IO XE software image. However, Cisco also notes that the vulnerability can’t be fully mitigated with a workaround.