Cisco has warned new proof-of-concept (PoC) code demonstrates how an attacker could exploit a critical vulnerability in the Cisco IOS XE REST API.
The PoC code is now publicly available for the Cisco REST API virtual service container for Cisco IOS XE Software vulnerability CVE-2019-12643. As a consequence, a remote attacker could bypass authentication on the managed Cisco XE device.
Previously, Cisco patched and published a summary of the issue in a security advisory on August 28, 2019:
“The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service. An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device.”
To add, the company said the REST API interface is not enabled by default and must be installed and activated separately on IOS XE devices.
Impacted products include:
- Cisco 4000 Series Integrated Services Routers
- Cisco ASR 1000 Series Aggregation Services Routers
- Cisco Cloud Services Router 1000V Series
- Cisco Integrated Services Virtual Router.
Cisco since updated the advisory last Friday and confirmed the PoC code went public. Software updates are available that address the vulnerability.