Cisco has disclosed over a dozen high-severity vulnerabilities affecting the widely deployed Cisco IOS and IOS XE network automation software, including a nasty one affecting its industrial routers and grid routers.
The company is also warning customers to disable an L2 traceroute feature in IOS for which there is public exploit code.
Cisco is urging admins to review which versions of Cisco IOS and IOS XE their devices are running to ensure these have been updated to versions that address 13 separate flaws.
The flaws have been disclosed as part of Cisco’s twice-yearly software security advisory bundle for Cisco IOS and IOS XE, which are released on the fourth Wednesday of March and September.
This update includes 12 advisories detailing 13 high-severity vulnerabilities that could give an attacker unauthorized access to an affected device, allow them to run a command-injection attack, or exhaust a device’s resources and cause a denial of service.
Although none is rated as critical, a bug tracked as CVE-2019-12648 in the IOx application environment for IOS has a CVSS 3.0 score of 9.9 out of a possible 10.
Cisco explains that even though this CVSS score usually corresponds to a critical rating, this bug is contained within a guest operating system running on a virtual machine of an affected IOS device. The bug doesn’t give an attacker the ability gain administrative access to IOS itself.
“Under no circumstance could an exploitation allow the attacker to gain administrative access to the IOS software running on an affected device,” Cisco notes.
The bug is due to an incorrect role-based access control (RBAC) evaluation for controlling access to the guest OS in IOS.
An attacker would need to be authenticated to exploit the bug. However, due to the RBAC issue, the bug allows a low-privilege user to request access to a guest OS – such as Linux instance running on a VM within an affected device – that should be restricted to administrative accounts. These are defined in IOS as ‘level 15’ accounts. An attacker can exploit the bug to gain access to the OS as root user.
There are no workarounds, so customers will need to ensure they’re running a fixed version of IOS. However, if an upgrade can’t be done immediately, Cisco suggests that disabling the guest OS “eliminates the attack vector” and so may be a suitable mitigation. Cisco offers instructions for uninstalling guest OS in its advisory.
Cisco has also published an informational advisory for an issue in the Layer 2 network traceroute utility in IOS and IOS XE. The feature is enabled by default on Cisco Catalyst switches. The company notes it is aware of public exploit code available for this issue.
By design, Cisco notes, the L2 traceroute server doesn’t require authentication and allows an attacker to collect a whole lot of information about an affected device, including the hostname, hardware model, configured interfaces and IP addresses, VLAN database, MAC address table, Layer 2 filtering table, and Cisco Discovery Protocol neighbor information.
“Reading this information from multiple switches in the network could allow an attacker to build a complete L2 topology map of that network,” Cisco warns.
Cisco has provided information about how to secure the L2 traceroute server in the advisory. The advice includes, among other things, disabling the server or upgrading to a version of IOS or IOS XE that has it disabled by default.
However, upgrading to a version with it disabled won’t be possible until later this year. These versions include Cisco IOS 15.2(7)E1 December 2019, and later; Cisco IOS XE 3.11.1E December 2019, and later; and Cisco IOS XE 17.2.1 March 2020, and later.
In the meantime, there are also options to restrict access through control-plane policing or access control lists.
The semiannual IOS and IOS XE bundle only includes critical and high-severity updates. In addition to the informational update, Cisco has also released 17 more advisories concerning medium severity bugs affecting IOS and IOS XE.