Cisco patches critical vulnerability in Virtual Service Container for IOS XE

• The bug could allow an attacker to bypass authentication on devices running an outdated version of virtual service containers.
• Cisco has released the latest version 16.09.03 of the REST API virtual device container which patches the authentication bypass vulnerability.

Cisco has published a security update to patch a critical vulnerability in the virtual service container for Cisco's operating system IOS XE.

What is the vulnerability?

The vulnerability, tracked as CVE-2019-12643, exists in the REST API virtual service container for IOS XE operating system.

• The vulnerability is marked as a high severity bug with a CVSS score of 10.
• The bug could allow an attacker to bypass authentication on devices running an outdated version of virtual service containers.
• However, successful exploitation is possible only if specific conditions are met by sending malicious HTTP requests to a target device.
• A successful exploit could then allow the attacker to obtain the token-id of an authenticated user which could be used to bypass authentication and execute privileged actions.

The specific conditions include:

• The device runs an affected Cisco IOS XE Software release.
• The device has installed and enabled an affected version of the Cisco REST API virtual service container.
• An authorized user with administrator credentials (level 15) is authenticated to the REST API interface.

What is the impact?

The vulnerability impacts the following products:

• Cisco 4000 Series Integrated Services Routers
• Cisco ASR 1000 Series Aggregation Services Routers
• Cisco Cloud Services Router 1000V Series
• Cisco Integrated Services Virtual Router

However, Cisco has confirmed that Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software are not impacted.

Mitigation

Cisco has released the latest version 16.09.03 of the REST API virtual device container ("iosxe-remote-mgmt.16.09.03.ova"), which patches the authentication bypass vulnerability.

To further protect customers, Cisco released a hardened version of the IOS XE software that prevents installation or activation of a vulnerable container device.

“Cisco has also released a hardened Cisco IOS XE Software release that prevents installation or activation of a vulnerable container on a device. If the device was already configured with an active vulnerable container, the IOS XE Software upgrade will deactivate the container, making the device not vulnerable. In that case, to restore the REST API functionality, customers should upgrade the Cisco REST API virtual service container to a fixed software release,” security advisory read.