Cisco releases ten advisories, including one critical advisory impacting Cisco IOS XE devices with the REST API Container enabled.
On August 28, Cisco released 10 advisories to address vulnerabilities across multiple products, including Cisco NX-OS and FXOS, Nexus 9000 Series Fabric Switches and Unified Computing System (UCS) Fabric. The most severe vulnerability, which Cisco rates as critical, exists in the REST API Container for Cisco IOS XE.
CVE-2019-12643 is an authentication bypass vulnerability in the REST API virtual service container for Cisco IOS XE software that received a CVSSv3 score of 10.0 from Cisco. The vulnerability could be exploited by an unauthenticated, remote attacker sending specially crafted web requests to a vulnerable device, resulting in the exposure of an authenticated users’ token-id. Obtaining a token-id for an authenticated user would enable an attacker to bypass authentication via the REST API, allowing them to “execute privileged actions” on the vulnerable device.
Despite the severity of this issue, Cisco notes that the following specific requirements need to be met for an attacker to be able to exploit this vulnerability:
- The device is running an affected Cisco IOS XE Software release
- The device has both installed and enabled an affected version of the Cisco REST API virtual service container.
- An authorized user with administrator credentials (level 15) is authenticated to the REST API interface.
The second point above is very important, as the REST API container is not available by default, and requires installation and activation.
Cisco’s advisory notes they’ve identified a number of devices potentially affected by this vulnerability.
|Cisco 4000 Series Integrated Services Routers|
|Cisco ASR 1000 Series Aggregation Services Routers|
|Cisco Cloud Services Router 1000V Series|
|Cisco Integrated Services Virtual Router|
If the REST API virtual service container is installed and enabled on a device, administrators can identify virtual service container name and version information by the following command:
show virtual-service version installed
The following is a list of affected virtual service containers for the Cisco REST API:
|Virtual Service Container Name||Version|
|mgmt||1.5.1, 1.6.1, 1.7.1, 1.7.2, 1.8.1, 162.1, 99.99.99|
|csr_mgmt (Cloud Services Router)||03.16.03, 03.16.04, 1.0.0, 1.2.1, 1.3.1, 1.4.1, 1.5.1, 1.6.1, 1.7.1, 1.8.1, 162.1, 163.1, 2017.6, 2017.10, 99.99.99|
Proof of concept
CVE-2019-12643 was discovered by Cisco during internal testing, so no proofs-of-concept (PoCs) exist for it at this time. There was also no PoC code available for any of the remaining advisories released by Cisco on August 28.
Cisco published a blog on CVE-2019-12643, entitled Insights Regarding the Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability.
For the vulnerability in the REST API Container for Cisco IOS XE, Cisco released iosxe-remote-mgmt.16.03.03.ova, a fixed version of the virtual service container. They also released updates to IOS XE with additional safeguards to prevent a vulnerable open virtual format (OVA) package from being installed.
To determine if your version of Cisco IOS XE is affected, please use Cisco’s IOS Software checker tool.
Cisco also released software updates to address the other vulnerabilities reported in their advisories. Please refer to those individual advisories for specific details regarding affected and fixed versions as well as workarounds.
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
- Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability
- Cisco PSIRT Blog for CVE-2019-12643
加入 Tenable Community 中的 Tenable 安全响应团队
了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息，全面管理现代攻击面。
Get a free 60-day trial of Tenable.io Vulnerability Management.