Pierluigi Paganini September 01, 2019

Cisco released security updates for Cisco IOS XE operating system to address a critical vulnerability that could be exploited by a remote attacker to bypass authentication.

Cisco released security updates for Cisco IOS XE OS to address a critical flaw, tracked as CVE-2019-12643, that could be exploited by a remote attacker to bypass authentication.

“On August 28th, 2019, Cisco published a Security Advisory titled “Cisco REST API Container for Cisco IOS XE Software Authentication Bypass Vulnerability”, disclosing an internally found vulnerability which affects the Cisco REST API container for Cisco IOS XE.” reads an advisory published by CISCO PSIRT. “An exploit could be used to bypass authentication on Cisco routers configured with the REST API support for Cisco IOS XE Software.”

The vulnerability resides in the Cisco REST API container, an attacker could exploit the flaw to submit commands through the REST API that will be executed on the vulnerable device.

The REST API container provides an alternative interface of RESTful APIs that allows managing devices running Cisco IOS-XE Software. The REST API container is located in a virtual services container, which is a virtualized environment running on the host device. The REST API virtual service is delivered as an open virtual application (OVA) package file.

This CVE-2019-12643 flaw was discovered by researchers at Cisco during internal testing, it received a severity score of 10.

Only the following Cisco platforms support the vulnerable Cisco REST API container and are potentially impacted by the issue:

• Cisco 4000 Series Integrated Services Routers
• Cisco ASR 1000 Series Aggregation Services Routers
• Cisco Cloud Services Router 1000V Series
• Cisco Integrated Services Virtual Router

Under specific conditions, an attacker could trigger the flaw by sending specially-crafted HTTP requests to an affected device. If an administrator is authenticated to the REST API interface, an attacker can obtain the ‘token-id‘ and run commands with elevated privileges.

“The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service. An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device.” reads the advisory published by Cisco. “A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device.”

Cisco’s advisory pointed out that the REST API interface is not enabled by default and must be installed and activated separately on IOS XE devices.

The exploitation of the issue is possible only if the target device has enabled a vulnerable version of the Cisco REST API virtual service container.

Administrators should install version 16.09.03 of the REST API virtual device container (“iosxe-remote-mgmt.16.09.03.ova”), that addressed the flaw. Cisco also released a hardened Cisco IOS XE Software release that prevents installation or activation of a vulnerable container on a device.

“Cisco has also released a hardened Cisco IOS XE Software release that prevents installation or activation of a vulnerable container on a device. If the device was already configured with an active vulnerable container, the IOS XE Software upgrade will deactivate the container, making the device not vulnerable.”continues Cisco “In that case, to restore the REST API functionality, customers should upgrade the Cisco REST API virtual service container to a fixed software release.”

Cisco confirmed that are no workarounds available.

Pierluigi Paganini

(SecurityAffairs – Cisco IOS XE, CVE-2019-12643)

[adrotate banner=”5″]

[adrotate banner=”13″]