CVE-2019-12643: Critical Authentication Bypass Vulnerability in REST API Container for Cisco IOS XE

Cisco releases ten advisories, including one critical advisory impacting Cisco IOS XE devices with the REST API Container enabled.

Background

On August 28, Cisco released 10 advisories to address vulnerabilities across multiple products, including Cisco NX-OS and FXOS, Nexus 9000 Series Fabric Switches and Unified Computing System (UCS) Fabric. The most severe vulnerability, which Cisco rates as critical, exists in the REST API Container for Cisco IOS XE.

Analysis

CVE-2019-12643 is an authentication bypass vulnerability in the REST API virtual service container for Cisco IOS XE software that received a CVSSv3 score of 10.0 from Cisco. The vulnerability could be exploited by an unauthenticated, remote attacker sending specially crafted web requests to a vulnerable device, resulting in the exposure of an authenticated users’ token-id. Obtaining a token-id for an authenticated user would enable an attacker to bypass authentication via the REST API, allowing them to “execute privileged actions” on the vulnerable device.

Despite the severity of this issue, Cisco notes that the following specific requirements need to be met for an attacker to be able to exploit this vulnerability:

• The device is running an affected Cisco IOS XE Software release
• The device has both installed and enabled an affected version of the Cisco REST API virtual service container.
• An authorized user with administrator credentials (level 15) is authenticated to the REST API interface.

The second point above is very important, as the REST API container is not available by default, and requires installation and activation.

Cisco’s advisory notes they’ve identified a number of devices potentially affected by this vulnerability.

If the REST API virtual service container is installed and enabled on a device, administrators can identify virtual service container name and version information by the following command:

show virtual-service version installed

The following is a list of affected virtual service containers for the Cisco REST API:

Proof of concept

CVE-2019-12643 was discovered by Cisco during internal testing, so no proofs-of-concept (PoCs) exist for it at this time. There was also no PoC code available for any of the remaining advisories released by Cisco on August 28.

Vendor response

Cisco published a blog on CVE-2019-12643, entitled Insights Regarding the Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability.

Solution

For the vulnerability in the REST API Container for Cisco IOS XE, Cisco released iosxe-remote-mgmt.16.03.03.ova, a fixed version of the virtual service container. They also released updates to IOS XE with additional safeguards to prevent a vulnerable open virtual format (OVA) package from being installed.

To determine if your version of Cisco IOS XE is affected, please use Cisco’s IOS Software checker tool.

Cisco also released software updates to address the other vulnerabilities reported in their advisories. Please refer to those individual advisories for specific details regarding affected and fixed versions as well as workarounds.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability
• Cisco PSIRT Blog for CVE-2019-12643

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.