Cisco IOS XR 64-Bit Software for Cisco ASR 9000 Series Aggregation Services Routers Network Isolation Vulnerability

critical Nessus Plugin ID 124325

Synopsis

The remote device is missing a vendor-supplied security patch

Description

According to its self-reported version, Cisco ASR 9000 Series Aggregation Services Routers are affected by the following vulnerability :

- A vulnerability in the sysadmin virtual machine (VM) on Cisco ASR 9000 Series Aggregation Services Routers running Cisco IOS XR 64-bit Software could allow an unauthenticated, remote attacker to access internal applications running on the sysadmin VM.The vulnerability is due to incorrect isolation of the secondary management interface from internal sysadmin applications. An attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device.
(CVE-2019-1710)

A workaround exists for this vulnerability. Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Solution

Upgrade to the relevant fixed version or apply the workaround referenced in advisory cisco-sa-20190417-asr9k-exr

See Also

http://www.nessus.org/u?04bb980d

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn56004

Plugin Details

Severity: Critical

ID: 124325

File Name: cisco-sa-20190417-asr9k-exr.nasl

Version: 1.7

Type: combined

Family: CISCO

Published: 4/26/2019

Updated: 4/8/2021

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-1710

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:cisco:asr_9000_series_aggregation_services_routers

Required KB Items: Host/Cisco/IOS-XR/Version, Host/Cisco/IOS-XR/Model, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 4/17/2019

Vulnerability Publication Date: 4/17/2019

Reference Information

CVE: CVE-2019-1710

BID: 108007

CWE: CWE-20

CISCO-SA: cisco-sa-20190417-asr9k-exr

CISCO-BUG-ID: CSCvn56004