Cisco Patches Two Critical RCE Bugs in IOS XE Software

Cisco releases 22 patches as part of its semiannual Cisco IOS and IOS XE software security advisory.

Three critical vulnerabilities were patched by Cisco Systems on Wednesday, each tied to the company’s widely used internetworking operating system IOS XE. Two of the bugs are remote code execution vulnerabilities that could allow an attacker to take control over affected systems.

The critical bug disclosures were three of 22 vulnerabilities disclosed by Cisco on Wednesday, part of the company’s semiannual IOS and IOS XE software security advisory bundled publication. While three maintained a security impact rating of critical, 19 had a rating of high.

The first of the critical flaws (CVE-2018-0151) identified by Cisco is an “IOS and IOS XE Software Quality of Service Remote Code Execution Vulnerability.”

“A vulnerability in the quality of service subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges,” the company wrote in its Cisco Security Advisory.

Cisco said the bug is tied to incorrect bounds checking of certain values in packets that are destined for UDP port 18999 of an affected device. Bounds checking is defined as “any method of detecting whether a variable is within some bounds before it is used.”

“An attacker could exploit this vulnerability by sending malicious packets to an affected device. When the packets are processed, an exploitable buffer overflow condition may occur,” Cisco said.

Cisco has released software updates and workarounds that mitigate against the vulnerability.

The second “Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability” (CVE-2018-0171) is a flaw in the Smart Install feature of Cisco IOS Software and Cisco IOS XE software.

“The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786,” according to the Cisco advisory.

A successful attack could allow an adversary to perform a buffer overflow attack on a targeted device allowing remote code execution or causing an indefinite loop that would trigger a “watchdog crash.”

A software fix is available, but no workaround exists, the company said.

Lastly, Cisco said vulnerable versions of its Cisco IOS XE Software “could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default username and password that are used at initial boot.”

This vulnerability (CVE-2018-0150) is due to an undocumented user account “with privilege level 15” hat has a default username and password. “An attacker could exploit this vulnerability by using this account to remotely connect to an affected device. A successful exploit could allow the attacker to log in to the device with privilege level 15 access,” Cisco wrote.

Cisco IOS offers 16 privilege levels for access to different system commands. For example, “User EXEC mode” is privilege level 1 and “Privileged EXEC mode” is level 15, which is equivalent to having root privileges.

“This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software Release 16.x. This vulnerability does not affect Cisco IOS XE Software releases prior to Release 16.x,” Cisco wrote.

Cisco said that both a workaround and a patch is available to address CVE-2018-0150.

“To address this vulnerability, administrators may remove the default account by using the ‘no username cisco’ command in the device configuration. Administrators may also address this vulnerability by logging in to the device and changing the password for this account,” Cisco said.

Suggested articles