CVE-2019-12643: Critical Authentication Bypass Vulnerability in REST API Container for Cisco IOS XE

Satnam Narang

Cisco releases ten advisories, including one critical advisory impacting Cisco IOS XE devices with the REST API Container enabled.

Background

On August 28, Cisco released 10 advisories to address vulnerabilities across multiple products, including Cisco NX-OS and FXOS, Nexus 9000 Series Fabric Switches and Unified Computing System (UCS) Fabric. The most severe vulnerability, which Cisco rates as critical, exists in the REST API Container for Cisco IOS XE.

Analysis

CVE-2019-12643 is an authentication bypass vulnerability in the REST API virtual service container for Cisco IOS XE software that received a CVSSv3 score of 10.0 from Cisco. The vulnerability could be exploited by an unauthenticated, remote attacker sending specially crafted web requests to a vulnerable device, resulting in the exposure of an authenticated users’ token-id. Obtaining a token-id for an authenticated user would enable an attacker to bypass authentication via the REST API, allowing them to “execute privileged actions” on the vulnerable device.

Despite the severity of this issue, Cisco notes that the following specific requirements need to be met for an attacker to be able to exploit this vulnerability:

  • The device is running an affected Cisco IOS XE Software release
  • The device has both installed and enabled an affected version of the Cisco REST API virtual service container.
  • An authorized user with administrator credentials (level 15) is authenticated to the REST API interface.

The second point above is very important, as the REST API container is not available by default, and requires installation and activation.

Cisco’s advisory notes they’ve identified a number of devices potentially affected by this vulnerability.

Affected Devices Cisco 4000 Series Integrated Services Routers Cisco ASR 1000 Series Aggregation Services Routers Cisco Cloud Services Router 1000V Series Cisco Integrated Services Virtual Router

If the REST API virtual service container is installed and enabled on a device, administrators can identify virtual service container name and version information by the following command:

show virtual-service version installed

The following is a list of affected virtual service containers for the Cisco REST API:

Virtual Service Container Name Version mgmt 1.5.1, 1.6.1, 1.7.1, 1.7.2, 1.8.1, 162.1, 99.99.99 csr_mgmt (Cloud Services Router) 03.16.03, 03.16.04, 1.0.0, 1.2.1, 1.3.1, 1.4.1, 1.5.1, 1.6.1, 1.7.1, 1.8.1, 162.1, 163.1, 2017.6, 2017.10, 99.99.99

Proof of concept

CVE-2019-12643 was discovered by Cisco during internal testing, so no proofs-of-concept (PoCs) exist for it at this time. There was also no PoC code available for any of the remaining advisories released by Cisco on August 28.

Vendor response

Cisco published a blog on CVE-2019-12643, entitled Insights Regarding the Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability.

Solution

For the vulnerability in the REST API Container for Cisco IOS XE, Cisco released iosxe-remote-mgmt.16.03.03.ova, a fixed version of the virtual service container. They also released updates to IOS XE with additional safeguards to prevent a vulnerable open virtual format (OVA) package from being installed.

To determine if your version of Cisco IOS XE is affected, please use Cisco’s IOS Software checker tool.

Cisco also released software updates to address the other vulnerabilities reported in their advisories. Please refer to those individual advisories for specific details regarding affected and fixed versions as well as workarounds.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Read more >

Published on Aug 29, 2019

People also viewed

Senior Financial Analyst - Corporate Development

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Finance
Your Role:Become a core member of Tenable’s internal corporate development team and assist with business, financial and valuation modeling for mergers, acquisitions and other strategic investments and initiatives.  Assist with evaluating elements ...

Cloud Security Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Technology Internships
Your Role: The Cloud Security Intern will help Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for the cloud that assess risk, keeps Tenable data safe and bake in sec...

Salesforce Administrator

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Business Platforms Business Platforms
Your Role:Tenable Network Security is looking for a Salesforce.com Administrator to join our internal business platforms team. The qualified candidate will engage in the administration of Tenable’s  Salesforce.com instance, play a key role in the ...

Technical Support Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Internships
Your Role: The Technical Support Intern provides consistent, world-class security, network, and product support for specific Tenable products. In serving as the primary liaison between the company and customer, the Technical Support Intern resolve...

Research Intern - Plugin Automation

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Research Internships
Your Role: Tenable Research is looking for a Software Engineer Intern for the Plugin Automation team.  The position will involve developing frameworks for automated content creation, and processes for validating and publishing the content that is ...

Sales Development Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Lead Generation Sales
Your Role:Tenable is looking for an experienced SDR Manager that will report to the Senior Director of Worldwide Sales Development and is responsible for ensuring the success of the Americas Tenable Sales Development team’s goals, as well as contr...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.