Cisco today published an update for its IOS XE operating system to patch a critical vulnerability that could allow a remote attacker to bypass authentication on devices running an outdated version of virtual service containers.
Virtual services containers are used to run processes in an isolated environment. They come as an open virtual application (OVA) package and can run applications that serve various purposes.
Admins can equip the machine with tools for troubleshooting tools and for fulfilling common network functions, or for analysis and monitoring. A common use is to extend the capabilities of the host network.
Maximum severity score
The security issue is tracked as CVE-2019-12643. It received the maximum severity score of 10 and resides in the REST API virtual service container for Cisco’s OS.
The following products are affected by this security flaw:
- Cisco 4000 Series Integrated Services Routers
- Cisco ASR 1000 Series Aggregation Services Routers
- Cisco Cloud Services Router 1000V Series
- Cisco Integrated Services Virtual Router
Exploitation is possible if specific conditions are met by simply sending malicious HTTP requests to a target device. If an administrator is into the REST API interface, an adversary can get their ‘token-id’ and run commands with elevated privileges.
Besides an admin being authenticated, the target device also needs to have enabled a vulnerable version of the Cisco REST API virtual service container.
Network administrators should install version 16.09.03 of the REST API virtual device container (“iosxe-remote-mgmt.16.09.03.ova”), which patches the authentication bypass bug. To further protect customers, Cisco released a hardened version of the IOS XE software that does not allow installation or activation of a vulnerable container device.
There are no workarounds available, the company says in the security advisory for the flaw. Cisco’s Product Security Incident Response Team (PSIRT) is not aware of this vulnerability being exploited.
High and medium severity bugs
High and medium severity bugs
Apart from this advisory, the company published security announcements for nine other issues of high and medium severity affecting Unified Computing System (UCS) Fabric Interconnect, FXOS, NX-OS, and Nexus 9000 Series Fabric Switches.
Four of the high severity problems were found in NX-OS software. Two allow an unauthenticated, remote attacker to crash the device (CVE-2019-1962) or to cause an unexpected restart of the netstack process (CVE-2019-19624).
The other two enabled a logged-in adversary to restart the SNMP application (CVE-2019-1963) or to exhaust the system’s memory by preventing a virtual shell (VSH) process from deleting when terminating a remote connection (CVE-2019-1965).
The high severity issue in Cisco’s Fabric Interconnect is tracked as CVE-2019-1966 and leads to local privilege escalation to root permission level. The adversary can exploit “extraneous subcommand options present for a specific CLI command within the local-mgmt context.”
All vulnerabilities described in today’s bulletin were discovered internally by Cisco during security testing or disccovered when solving customer support cases.