Vulnerabilities

Critical root access vulnerability on Cisco devices alert! Patch immediately

Cisco has just released a new set of security updates for the Cisco IOS Software IOx application. According to ethical hacking specialists, these updates fix a vulnerability that, if exploited, would allow remote threat actors without authentication to access the guest operating system (Guest OS) as a root user.

The flaw, tracked as CVE-2019-12648, exists due
to a weakness in system access control and has a score of 9.9/10 on the Common
Vulnerability Scoring System
(CVSS) scale, making it a critical
security flaw.

The vulnerability primarily affects Cisco 100
Series Connected Grid (CGR 1000) routers, in addition to Cisco 800 Series
Industrial Integrated Services routers running out-of-date versions of Cisco
IOS software with Guest OS installed, ethical hacking specialists.

In its security alert, the company notes that:
“The flaw exists due to an incorrect assessment of role-based access
control (RBAC) when a user with reduced privileges requests access to Guest OS,
which should be restricted for users with administrator privileges”. In
other words, a threat actor might exploit the vulnerability to authenticate to
the operating system using the access credentials of an unprivileged user.

“The Guest OS feature is available as part
of an IOS package image that contains the hypervisor, IOS, and Guest OS”
images, adds the company alert. “Customers who used a Cisco IOS software
image package to perform initial installations or software updates will have
Guest OS installed automatically.” 

Ethical hacking experts mention that Cisco has
already released security updates to fix these flaws. Customers are encouraged
to contact the Cisco Technical Assistance Center for further reports on this
vulnerability. 

In case there are doubts about vulnerable
devices, system administrators can enter the show iox host list detail command to know if Guest OS is enabled on
their devices.

At the moment there are no alternative methods
to address CVE-2019-12648 functional on devices that cannot be updated quickly.
However, the access point used by hackers to exploit this vulnerability can be
removed by uninstalling the Guest OS using the guest-os image uninstall command, at least until it is possible to patch
vulnerable systems.

In addition to this critical vulnerability,
Cisco released reports on at least 12 additional security flaws that have
minimum scores of 7.5 on the CVSS. According to ethical hacking specialists of
the International Institute of Cyber Security (IICS) the company has already
released updates to correct all these flaws, completely mitigating the risk of
exploitation.

To Top

Pin It on Pinterest

Share This