CVE-2019-12643: Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability

Cisco officially released an announcement to fix an authentication bypass vulnerability (CVE-2019-12643) in the REST API virtual service container of Cisco IOS XE software. The cause of the vulnerability is that the code that manages the REST API authentication service performed an incorrect check. An attacker could exploit this vulnerability by submitting a malicious HTTP request to the target device.

A successful exploit can allow an attacker to obtain the token id of an authenticated user. This token id can be used to bypass authentication and perform privileged operations through the REST API virtual service container interface on the affected Cisco IOS XE device. However, by default, the REST API interface is not enabled and must be installed and activated separately on the IOS XE device.

CVSS 3.0 rating:

Base 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:X/RL:X/RC:X

Affected products

This vulnerability is in the Cisco REST API Virtual Service container, but it affects Cisco IOS XE devices that have the vulnerable version of the Cisco REST API virtual service container enabled. When the announcement is released, the following products are affected:

  • Cisco 4000 Series Integrated Services Router
  • Cisco ASR 1000 Series Aggregation Services Router
  • Cisco Cloud Services Router 1000V Series
  • Cisco Integrated Services Virtual Router

Unaffected product

  • REST API virtual service container: iosxe-remote-mgmt.16.09.03.ova
  • Officials have confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software or Cisco NX-OS software.

Solution

Currently, Cisco officially released a fixed version of the REST API virtual service container. A hardened version of Cisco IOS XE software was also released to prevent vulnerable containers from being installed or activated on the device. If the device is configured with a vulnerable container, upgrading the IOS XE software will deactivate the container, making the device less vulnerable. In this case, to restore REST API functionality, customers should upgrade the Cisco REST API virtual service container to a fixed version.