Weekly Comments

27 August - 3 September 2019

Cisco is urging customers to install updates for a critical bug affecting IOS XE operating system

Cisco is urging customers to install updates for a critical bug affecting IOS XE operating system that has received the highest possible CVSSv3 rating of 10, meaning exploitation of the bug is trivial and can be performed remotely. The flaw, tracked as CVE-2019-12643, affects Cisco's REST application programming interface (API) virtual container for ISO XE and exists because the software fails to properly check the code that manages the API's authentication service. An attacker can exploit this vulnerability by submitting malicious HTTP requests to the targeted device and obtaining the token-id of an authenticated user. This token-id can be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device. CVE-2019-12643 affects Cisco 4000 Series Integrated Services Routers, Cisco ASR 1000 Series Aggregation Services Routers, the Cisco Cloud Services Router 1000V Series, and the Cisco Integrated Services Virtual Router. Organisations that have installed and enabled the REST API interface on IOS XE devices are strongly encouraged to upgrade both the REST API virtual service container and IOS XE to mitigate against potential attacks.

 

References:

Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability

Cisco Security Advisories and Alerts

More Weekly Cyber Newsanalysis and insights

Ensign Consulting

Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.​

Ensign Solutioning

Architecting and implementing cybersecurity solutions that bolster defences

Ensign Managed Security Services

Managing your security operations for advanced threat detection, continuous monitoring, and triage services

Ensign Labs

Performing deep research to analyse vulnerabilities, deploy advanced threat hunting and provide cyber threat intelligence