Cisco released security updates for
“On August 28th, 2019, Cisco published a Security Advisory titled “Cisco REST API Container for Cisco IOS XE Software Authentication Bypass Vulnerability”, disclosing an internally found
The vulnerability resides in the Cisco REST API container, an attacker could exploit the flaw to submit commands through the REST API that will be executed on the vulnerable device.
The REST API container provides an alternative interface of RESTful APIs that allows managing devices running Cisco IOS-XE Software. The REST API container is located in a virtual services container, which is a
This CVE-2019-12643 flaw was discovered by researchers at Cisco during internal testing, it received a severity score of 10.
Only the following Cisco platforms support
Under specific conditions, an attacker could trigger the flaw by sending specially-crafted HTTP requests to an affected device. If an administrator is authenticated to the REST API interface, an attacker can obtain the ‘
“The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service. An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device.” reads the advisory published by Cisco. “A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device.”
Cisco’s advisory pointed out that the REST API interface is not enabled by default and must be installed and activated separately on IOS XE devices.
The exploitation of the issue is possible only if the target device has enabled a vulnerable version of the Cisco REST API virtual service container.
Administrators should install version 16.09.03 of the REST API virtual device container (“
“Cisco has also released a hardened Cisco IOS XE Software release that prevents installation or activation of a vulnerable container on a device. If the device was already configured with an active vulnerable container, the IOS XE Software upgrade will deactivate the container, making the device not vulnerable.”continues
Cisco confirmed that are no workarounds available.
(SecurityAffairs – Cisco IOS XE, CVE-2019-12643)