A critical remote authentication-bypass vulnerability – with the highest possible severity level of 10 out of 10 on the CvSS scale – has been found in the Cisco REST API virtual service container for Cisco IOS XE Software.
The bug (CVE-2019-12643) affects the following hardware if running the REST API interface: Cisco 4000 Series Integrated Services Routers; Cisco ASR 1000 Series Aggregation Services Routers; Cisco Cloud Services Router 1000V Series; and Cisco Integrated Services Virtual Routers.
If exploited, it could allow an unauthenticated, remote attacker to bypass authentication on a managed Cisco IOS XE device, and gain full control of it. Code-execution and other attacks are possible.
“The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service,” Cisco explained in its advisory. “A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device.”
An exploit would be a matter of submitting malicious HTTP requests to the targeted device, according to the software giant, which found the bug through internal testing.
The REST API is essentially a virtual machine (VM) running on one of the aforementioned hardware platforms:
“The REST API container is an application that provides a set of RESTful APIs as an alternative method to manage devices running Cisco IOS-XE Software,” explained Cisco security researcher Eugenio Iavarone, in a blog post. “It is located in a virtual services container, which is a virtualized environment running on the host device. It is also referred to as a virtual machine (VM), virtual service, or container. The REST API virtual service is not a native capability within Cisco IOS XE, but it is instead delivered as an open virtual application (OVA) package file.”
The good news is that the REST API interface is not enabled by default and must be installed and activated separately on IOS XE devices.
“While this is a serious vulnerability that should be carefully assessed by customers to determine exposure and impact on their environment, the scope of affected Cisco customer base is contained by the limited number of Cisco hardware platforms supporting the feature and the fact the affected feature is not enabled by default,” Iavarone wrote.
For those companies that have enabled REST API, Cisco has patched the bug in the latest software release (named iosxe-remote-mgmt.16.09.03.ova), and has released a hardened Cisco IOS XE Software version that prevents installation or activation of a vulnerable container on a device going forward.
“If the device was already configured with an active vulnerable container, the IOS XE Software upgrade will deactivate the container, making the device not vulnerable,” the firm noted. “In that case, to restore the REST API functionality, customers should upgrade the Cisco REST API virtual service container to a fixed software release.”
Cisco also issued a slew of other patches this week, including several medium- and high-severity denial-of-service flaws in the Cisco NX-OS Software, a medium-level bug in the Cisco Adaptive Security Appliance; and a high-severity root privilege-escalation vulnerability in the Cisco Unified Computing System Fabric Interconnect.