Despite being one of the world’s leading technology companies, Cisco remains vulnerable to some security flaws in its various products. This time, digital forensics specialists reported the finding of a serious vulnerability in the company’s devices running the IOS XE operating system.
Tracked as CVE-2019-12643, this is a critical
vulnerability present in the REST API Virtual Service Container for Cisco IOS
XE that, if exploited, would allow threat actors to bypass authentication on a
compromised device. Given its characteristics, the flaw has a score of 10/10 on
the Common Vulnerability Scoring System (CVSS) scale.
According to digital forensics experts, the
flaw exists due to inappropriate verification in a code area that operates the
REST API authentication service. The products most affected by this vulnerability
are Cisco routers, primarily ASR 1000 Series Aggregation Service Router, Cisco
Cloud Services Router 1000V, and Cisco Integrated Services Virtual Router.
In their investigation, experts claim that this
flaw can be exploited by an unauthenticated remote attacker by sending specially
crafted HTTP requests to the compromised system. This will result in the
exposure of a token identifier from authenticated users.
“While this is a critical security error,
we must consider that its exploitation depends on multiple pre-attack factors
and conditions, so the exploitation complexity increases considerably,”
says Scott Ceveza, one of the specialists in charge of this research. “For
example, the user must sign in to the device so the attackers can get the token
identifier,” the expert adds.
On the other hand, a digital forensics
specialist from the application security automation firm ShiftLeft Inc.
believes this flaw is an important and timely security reminder:
“Application security must be extended to each and every one of the code
snippets that operate on an organization’s networks,” he says. “API
dependencies fulfill a very important mission, allowing each organization to
focus on the code for which the greatest value is added, leveraging the
innovation of other companies to take full advantage of their APIs; however, by
integrating an external API into an application, its security flaws are also
being added,” the expert concluded.
According to digital forensics specialists from
the International Institute of Cyber Security (IICS), Cisco Systems released
iosxe-remote-mgmt.16.03.03.ova, an updated version of the compromised virtual
services container. In addition, some additional protection measures were added
in the most recent versions of IOS XE system, available only to Cisco licensed
users.
