Attacker Value
High
(3 users assessed)
Exploitability
Moderate
(3 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
3

Authentication bypass vulnerability in Cisco’s IOS XE REST API

Disclosure Date: August 28, 2019 Last updated February 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

This is an authentication bypass vulnerability in Cisco’s IOS XE series OS. While it can target a large swath of Cisco’s switches and routers, it requires the Cisco REST API Container for IOS to be turned on, as it is not on by default.

Add Assessment

7
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Technical Analysis

This exploit is difficult to judge. Some exploitation scores for this vulnerability have been very high, and I understand why: This is a vulnerability on a typically externally facing, or universally-internally-facing service, but the service is optional. While certainly this is a priority to patch and mitigate, I find it hard to understand why a vulnerability on an optional service ranks as a 10/10 on vulnerability scores. That conclusion may be based on my ignorance of deployed Cisco products.
Edit

7
Ratings
Technical Analysis

The issue with ranking exploitability even the vulnerability with rest api in this particular instance would be a combination of “are recommended measures in place to mitigate if it exists in the first place” and “how willing the actor would be be to exploit”. If the given scenario for exploitation presents itself, then it will be fairly quick and easy to exploit and get to the meat and begin enumerating other endpoints and privilege. To even conduct the reconnaissance necessary to have an idea of vulnerability seems a pretty difficult task in my limited knowledge.

That said, if identified and utilized, this is powerful.

While the vulnerable code resides within the Cisco REST API container, the effects of the vulnerability, if exploited, will be experienced on the Cisco device as a whole. This is because exploiting this vulnerability could allow an attacker to submit commands through the REST API that will be executed on the affected device.

The fact that in the blog post sited here on AttackerKB the author uses the work “only” when describing the hardware effected sets off a bit of an alarm bell in my opinion. Any CVE allowing commands at level specified to be issued on an endpoint is cause for concern, especially with something as simple to manipulate as REST API Most certainly if standard reconnaissance methods can identify.

Only the following Cisco platforms supports the affected Cisco REST API container and are therefore potentially impacted by this vulnerability:
    Cisco 4000 Series Integrated Services Routers
    Cisco ASR 1000 Series Aggregation Services Routers
    Cisco Cloud Services Router 1000V Series
    Cisco Integrated Services Virtual Router

Another thing we must remember as researchers, on either side, is that our analysis and public disclosure also acts and beneficial information for any threat actor. So, I’d say definitely be cautious in publishing information that downplays a CVE as it can appear complacency is setting in.

Okay, to end of all my unnecessary commentary I’d say this is a pretty useful vulnerability if risk of exploitation is obvious and in numbers exceeding risk matrices or thresholds developed by in house teams.

https://blogs.cisco.com/security/cve-2019-12643
https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-xe/index.html#~stickynav=1

General Information

Additional Info

Technical Analysis