Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw

Cisco: DNS attacks will undermine trust in the internet
Sophisticated hacking group taps wide set of vulnerabilities as part of their global hacking spree.

Cisco is urging customers to install updates for a critical bug affecting its popular IOS XE operating system that powers millions of enterprise network devices around the world. 

The bug has a rare Common Vulnerability Scoring System (CVSS) version 3 rating of 10 out of a possible 10 and allows anyone on the internet to bypass the login for an IOS XE device without the correct password. 

SEE: 10 tips for new cybersecurity pros (free PDF)

The flaw, tracked as CVE-2019-12643, affects Cisco’s REST application programming interface (API) virtual container for ISO XE and exists because the software doesn’t properly check the code that manages the API’s authentication service. 

“An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device,” Cisco warns. 

“A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device.”

Cisco says it has confirmed that the bug affects Cisco 4000 Series Integrated Services Routers, Cisco ASR 1000 Series Aggregation Services Routers, the Cisco Cloud Services Router 1000V Series, and the Cisco Integrated Services Virtual Router. 

The good news is that the affected REST API virtual service container isn’t enabled by default and needs to be installed and activated separately on IOS XE devices. 

However, if it is enabled, the underlying IOS XE device is vulnerable to the attack. The bug was found during internal testing and isn’t known to be currently under attack. 

Cisco has provided command-line instructions for admins to check whether the REST API has been enabled or not. It’s also provided a list of vulnerable versions of the container. 

Cisco’s REST API is an application that runs in a virtual container on a device and comes in the form of an open virtual application (OVA) with an .ova extension. 

SEE MORE: How secure are your containerized apps?

To cut off the attack vector, admins can delete Cisco’s REST API OVA package that in some cases can be bundled with the IO XE software image. However, Cisco also notes that the vulnerability can’t be fully mitigated with a workaround. 

Cisco is recommending admins upgrade both the REST API virtual service container and IOS XE. The container version that is fixed is iosxe-remote-mgmt.16.09.03.ova.

Cisco also disclosed five high-severity flaws that affected its Unified Computing System Fabric Interconnect, NX-OS software, and FXOS software. 

More on Cisco security