Despite being one of the world’s leading technology companies, Cisco remains vulnerable to some security flaws in its various products. This time, digital forensics specialists reported the finding of a serious vulnerability in the company’s devices running the IOS XE operating system.
Tracked as CVE-2019-12643, this is a critical vulnerability present in the REST API Virtual Service Container for Cisco IOS XE that, if exploited, would allow threat actors to bypass authentication on a compromised device. Given its characteristics, the flaw has a score of 10/10 on the Common Vulnerability Scoring System (CVSS) scale.
According to digital forensics experts, the flaw exists due to inappropriate verification in a code area that operates the REST API authentication service. The products most affected by this vulnerability are Cisco routers, primarily ASR 1000 Series Aggregation Service Router, Cisco Cloud Services Router 1000V, and Cisco Integrated Services Virtual Router.
In their investigation, experts claim that this flaw can be exploited by an unauthenticated remote attacker by sending specially crafted HTTP requests to the compromised system. This will result in the exposure of a token identifier from authenticated users.
“While this is a critical security error, we must consider that its exploitation depends on multiple pre-attack factors and conditions, so the exploitation complexity increases considerably,” says Scott Ceveza, one of the specialists in charge of this research. “For example, the user must sign in to the device so the attackers can get the token identifier,” the expert adds.
On the other hand, a digital forensics specialist from the application security automation firm ShiftLeft Inc. believes this flaw is an important and timely security reminder: “Application security must be extended to each and every one of the code snippets that operate on an organization’s networks,” he says. “API dependencies fulfill a very important mission, allowing each organization to focus on the code for which the greatest value is added, leveraging the innovation of other companies to take full advantage of their APIs; however, by integrating an external API into an application, its security flaws are also being added,” the expert concluded.
According to digital forensics specialists from the International Institute of Cyber Security (IICS), Cisco Systems released iosxe-remote-mgmt.16.03.03.ova, an updated version of the compromised virtual services container. In addition, some additional protection measures were added in the most recent versions of IOS XE system, available only to Cisco licensed users.