High
Authentication bypass vulnerability in Cisco’s IOS XE REST API
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
High
(3 users assessed)Moderate
(3 users assessed)Unknown
Unknown
Unknown
Authentication bypass vulnerability in Cisco’s IOS XE REST API
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
This is an authentication bypass vulnerability in Cisco’s IOS XE series OS. While it can target a large swath of Cisco’s switches and routers, it requires the Cisco REST API Container for IOS to be turned on, as it is not on by default.
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityMedium
Technical Analysis
This exploit is difficult to judge. Some exploitation scores for this vulnerability have been very high, and I understand why: This is a vulnerability on a typically externally facing, or universally-internally-facing service, but the service is optional. While certainly this is a priority to patch and mitigate, I find it hard to understand why a vulnerability on an optional service ranks as a 10/10 on vulnerability scores. That conclusion may be based on my ignorance of deployed Cisco products.
Edit
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueHigh
-
ExploitabilityMedium
Technical Analysis
High attacker utility if only the vulnerability is considered.
Quoting Cisco:
In order for a device to be considered vulnerable, all of the following conditions must be met:
- A REST API OVA package with a version below 16.9.3 must be present on the device local storage
- The REST API virtual service is installed
- The REST API virtual service is configured
- The REST API virtual service is enabled
Given that the vulnerable service is not enabled by default and requires some extra steps to even set up, I am unsure of the actual likelihood of successful exploitation. Echoing what Brendan said, mitigations are already in place on the device if the vulnerable service is installed and enabled. Because of that, I wouldn’t say that this is the most urgent of patches to install, although it’s always better to have a patched system.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportWell said.
Ratings
-
Attacker ValueHigh
-
ExploitabilityMedium
Technical Analysis
The issue with ranking exploitability even the vulnerability with rest api in this particular instance would be a combination of “are recommended measures in place to mitigate if it exists in the first place” and “how willing the actor would be be to exploit”. If the given scenario for exploitation presents itself, then it will be fairly quick and easy to exploit and get to the meat and begin enumerating other endpoints and privilege. To even conduct the reconnaissance necessary to have an idea of vulnerability seems a pretty difficult task in my limited knowledge.
That said, if identified and utilized, this is powerful.
The fact that in the blog post sited here on AttackerKB the author uses the work "only" when describing the hardware effected sets off a bit of an alarm bell in my opinion. Any CVE allowing commands at level specified to be issued on an endpoint is cause for concern, especially with something as simple to manipulate as REST API Most certainly if standard reconnaissance methods can identify.
Only the following Cisco platforms supports the affected Cisco REST API container and are therefore potentially impacted by this vulnerability:
Cisco 4000 Series Integrated Services Routers Cisco ASR 1000 Series Aggregation Services Routers Cisco Cloud Services Router 1000V Series Cisco Integrated Services Virtual Router
”`
Another thing we must remember as researchers, on either side, is that our analysis and public disclosure also acts and beneficial information for any threat actor. So, I’d say definitely be cautious in publishing information that downplays a CVE as it can appear complacency is setting in.
Okay, to end of all my unnecessary commentary I’d say this is a pretty useful vulnerability if risk of exploitation is obvious and in numbers exceeding risk matrices or thresholds developed by in house teams.
https://blogs.cisco.com/security/cve-2019-12643
https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-xe/index.html#~stickynav=1
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: