A severe security vulnerability in several types of Cisco routers allows cybercriminals to gain full control of the devices. Discover which routers are affected and what you need to do to patch the hole.

Companies often use routers to connect and control traffic between two or more networks. On August 28, Cisco Systems announced it found a critical security vulnerability (CVE-2019-12643) that affects some of its routers. The vulnerability has been given the highest-possible severity rating in the Common Vulnerability Scoring System because it allows cybercriminals to bypass the login process and gain full control of the routers.

The Affected Routers

The vulnerability affects four types of routers, all of which run the Cisco IOS XE operating system:

  • Cisco 4000 Series Integrated Services Routers
  • Cisco ASR 1000 Series Aggregation Services Routers
  • Cisco Cloud Services Router 1000V Series
  • Cisco Integrated Services Virtual Router

The security hole lies in one of the tools that companies can use to manage these routers. Rather than using the routers’ command-line interface to manually manage functions, companies can automate some management tasks with the Cisco REST API application. This application uses a set of RESTful APIs — application program interfaces (APIs) based on the representation state transfer (REST) technology — to automate functions.

The REST API application runs in a virtual service container, which is delivered as an open virtual application (OVA) package. The vulnerability resides in the REST API virtual service container. It is the result of an improper check performed by the code that manages the REST API authentication service.

Even though the vulnerability is in the container and not the operating system, the entire router is at risk. “This is because exploiting this vulnerability could allow an attacker to submit commands through the REST API that will be executed on the affected device,” explained Eugenio Iavarone, a member of Cisco’s Product Security Incident Response Team.

The vulnerability is exploitable when all of the following conditions are present:

  • The router contains an old version of the REST API OVA package (release 16.9.2 or earlier). This file could be on a router without users realizing it because the package came bundled with some releases of the Cisco IOS XE operating system. The bundling practice was discontinued starting with Cisco IOS XE 16.7.1, at which point the OVA package became a separate download.
  • A REST API virtual service container is installed and configured on the router. The Cisco Virtual Manager is used to install and configure these containers.
  • The REST API virtual service container is enabled. By default, it is disabled.

If any of these conditions are not present (e.g., the container is disabled), cybercriminals won’t be able to use the security hole to hack the router.

The Fix

Cisco has fixed the security vulnerability in version 16.9.3 of the REST API OVA package. This package (iosxe-remote-mgmt.16.09.03.ova) has been released and is available for download in Cisco’s Software Download site.

In addition, Cisco has added several safeguards to the next version of Cisco IOS XE. For example, the operating system will prevent the installation and activation of a vulnerable REST API virtual service container on a router. At the time of this writing, Cisco had not yet released the next version of Cisco IOS XE.

Check Your Company’s Routers

Due to the serious nature of the vulnerability, it is important to check whether your network includes any of the affected Cisco routers. If so, you need to make sure they do not have an old version of the REST API OVA package on them. Any old OVA packages should be immediately upgraded to version 16.9.3. We can take care of checking your routers and upgrading their software for you if you do not have the time.