Cisco Fixes Critical Bug in Virtual Service Container for IOS XE


Cisco today released an update to its IOS XE operating system to patch a critical vulnerability, which could prevent a remote attacker from authenticating devices that run an outdated version of a virtual service container.

Containers for virtual services are used in an isolated setting for procedures. They come as an open virtual application package (OVA) and can run applications for different purposes.

Admins can equip the computer with instruments to solve problems and to perform common network tasks, or to analyze and monitor. A popular use is to expand the host network capacities.

Maximum score for severity

The safety problem is monitored under CVE-2019-12643. It has a peak severity score of 10 and resides in the virtual service container REST API for Cisco’s operating system.

This safety defect affects the following goods:

  • Cisco 4000 Integrated Services Routers Series
  • Cisco ASR 1000 Series Aggregation Services Routers
  • Cisco Cloud Services Router 1000V Series
  • Cisco Integrated Services Virtual Router

It is feasible to operate if certain requirements are fulfilled merely by sending malicious HTTP requests to a target device. If a manager is on the REST API interface, an opponent can get their’ token-id’ and execute orders with high privileges.

Besides authentication of an admin, the target unit must also allow a susceptible version of the virtual service container of the Cisco REST API.

The REST API virtual device container (“iosxe-remote-mgmt.16.09.03.ova”) version 16.09.03 should be installed by network administrators to patch authentication bypass bug. To further safeguard clients, Cisco published a hardened IOS XE software version that does not allow a vulnerable container device to be installed or activated.

“If the device was already configured with an active vulnerable container, the IOS XE Software upgrade will deactivate the container, making the device not vulnerable. In that case, to restore the REST API functionality, customers should upgrade the Cisco REST API virtual service container to a fixed software release.” – Cisco

No workarounds are accessible, states the firm in the flaw safety advisory. The Product Security Incident Response Team (PSIRT) of Cisco is not conscious of this vulnerability.

Bugs of high and medium severity

Apart from this tip, the firm has released safety advertisements for nine other high-and medium-severity problems influencing the fabric interconnected unified computer system (UCS), FXOS, NX-OS and Nexus 9000 series fabric switch. High-and medium-severity bugs

Four serious issues have been identified in NX-OS software. Two are able to crash the machine (CVE-2019-1962), or cause the netstack to restart unexpectedly (CVE-2019-19624).

The two others allowed a logged-in opponent to restart the SNMP request (CVE-2019-1963) or remove memory from the system by stopping the distant link termination of a VSH (CVE-2019-1965) phase.

The serious problem in Cisco’s Fabric Interconnect is monitored as CVE-2019-1966 and leads to an increase in root allowance in local privileges. The opponent can use’ external CLI command alternatives in the local mgmt context.’ All vulnerabilities mentioned in the newsletter today were internally found by Ciscon during safety testing or when client support instances were solved.

Credit: Bleeping computers

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.