Cisco has just released a new set of security updates for the Cisco IOS Software IOx application. According to ethical hacking specialists, these updates fix a vulnerability that, if exploited, would allow remote threat actors without authentication to access the guest operating system (Guest OS) as a root user.
The flaw, tracked as CVE-2019-12648, exists due to a weakness in system access control and has a score of 9.9/10 on the Common Vulnerability Scoring System (CVSS) scale, making it a critical security flaw.
The vulnerability primarily affects Cisco 100 Series Connected Grid (CGR 1000) routers, in addition to Cisco 800 Series Industrial Integrated Services routers running out-of-date versions of Cisco IOS software with Guest OS installed, ethical hacking specialists.
In its security alert, the company notes that: “The flaw exists due to an incorrect assessment of role-based access control (RBAC) when a user with reduced privileges requests access to Guest OS, which should be restricted for users with administrator privileges”. In other words, a threat actor might exploit the vulnerability to authenticate to the operating system using the access credentials of an unprivileged user.
“The Guest OS feature is available as part of an IOS package image that contains the hypervisor, IOS, and Guest OS” images, adds the company alert. “Customers who used a Cisco IOS software image package to perform initial installations or software updates will have Guest OS installed automatically.”
Ethical hacking experts mention that Cisco has already released security updates to fix these flaws. Customers are encouraged to contact the Cisco Technical Assistance Center for further reports on this vulnerability.
In case there are doubts about vulnerable devices, system administrators can enter the show iox host list detail command to know if Guest OS is enabled on their devices.
At the moment there are no alternative methods to address CVE-2019-12648 functional on devices that cannot be updated quickly. However, the access point used by hackers to exploit this vulnerability can be removed by uninstalling the Guest OS using the guest-os image uninstall command, at least until it is possible to patch vulnerable systems.
In addition to this critical vulnerability, Cisco released reports on at least 12 additional security flaws that have minimum scores of 7.5 on the CVSS. According to ethical hacking specialists of the International Institute of Cyber Security (IICS) the company has already released updates to correct all these flaws, completely mitigating the risk of exploitation.