Cisco is warning admins to patch a severe flaw in its IOS (Internetworking Operating System) network automation software for industrial routers.
The bug, CVE-2019-12648, affects large network operators that use Cisco’s 800 Series Industrial Integrated Services Routers, which are used for IoT gateway operations, and its 1000 Series Connected Grid Routers, Cisco’s ruggedized routers for utility and energy sub-stations.
Cisco offers customers an IOS bundle image that contains a hypervisor, IOS, and guest OS images, such as Linux. The potentially vulnerable guest OS is automatically installed on devices when customers use the IOS bundle for the initial install or for a software upgrade.
The flaw resides in the IOx application environment for Cisco IOS and is due to an error in the IOS role-based access control (RBAC) evaluation, which allows an attacker with low privilege credentials to gain access to a guest OS that should be restricted to administrative accounts with the highest privilege or ‘level 15’ accounts in IOS terms.
“An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials. An exploit could allow the attacker to gain unauthorized access to the Guest OS as a root user,” Cisco explains.
The bug has a CVSS 3.0 score of 9.9 out of a possible 10, which usually mean a “critical” rating. However, Cisco gave it a “high” severity rating because it only allows an attacker to take control of the ‘guest’ OS running on IOS, but not administrative access to Cisco’s underlying IOS software on the affected device.
In other words, the vulnerability is localized within the guest OS instance.
“Under no circumstance could an exploitation allow the attacker to gain administrative access to the IOS Software running on an affected device,” Cisco assures users.
“For this reason, though the Common Vulnerability Scoring System (CVSS) score corresponds to a Critical qualitative representation, this vulnerability is considered HIGH Security Impact Rating (SIR).”
Customers must upgrade to a fixed version of IOS to address the flaw, however Cisco says a suitable mitigation until a patch can be applied is to disable the guest OS. This “eliminates the attack vector”, it says.
The IOx issue was one of 13 vulnerabilities disclosed as part of Cisco’s semiannual software security advisory bundle for Cisco IOS and IOS XE, which are released in March and September each year. It also published advisories for 17 other medium severity flaws.
Cisco is also warning customers with IOS and IOS XE devices to disable the Layer 2 traceroute feature, which is enabled by default on Cisco Catalyst switches.
Cisco explains for instances the L2 traceroute feature is enabled by default that an attacker could probe multiple affected switches and “build a complete L2 topology map of that network”.
“By design, the L2 traceroute server does not require authentication, and it allows certain information about an affected device to be read, including the following hostname, hardware model, configured interfaces, configured IP addresses, VLAN database, MAC address table, Layer 2 filtering table, and Cisco Discovery Protocol (CDP) neighbor information.”
“Reading this information from multiple switches in the network could allow an attacker to build a complete L2 topology map of that network.”
The issue is detailed in an “informational advisory” that explains four options customers have to secure the L2 traceroute server.
- Disable the L2 traceroute server.
- Restrict access to the L2 traceroute server through infrastructure access control lists (iACLs).
- Restrict access to the L2 traceroute server through control plane policing (CoPP).
- Upgrade to a release that has the L2 traceroute server disabled by default.
Cisco however isn’t releasing versions of IOS and IOS XE with L2 traceroute disabled by default until December. These versions include Cisco IOS 15.2(7)E1 (December 2019) and later; Cisco IOS XE 3.11.1E (December 2019) and later; and Cisco IOS XE 17.2.1 (March 2020) and later.