A number of high-severity vulnerabilities were unearthed in Cisco IOS and IOS XE network automation software. One of the flaws affects the company’s industrial and grid routers, making the impact incomprehensible.
Severe Cisco IOS and IOS XE Vulnerabilities Discovered
According to the official advisory, all of these vulnerabilities have a Security Impact Rating (SIR) of High. Successful exploitation could allow an attacker to gain unauthorized access, carry out a command injection attack, or cause a denial of service (DoS) condition on an affected device.
It is noteworthy that two of the vulnerabilities affect both Cisco IOS Software and Cisco IOS XE Software. Eight of the vulnerabilities affect Cisco IOS XE Software. One of the vulnerabilities affects the Cisco IOx application environment. The good news is that none of them affect Cisco IOS XR Software or Cisco NX-OS Software, the company said.
Here’s a list of the vulnerabilities:
CVE-2019-12652 – Cisco Catalyst 4000 Series Switches TCP Denial of Service Vulnerability
CVE-2019-12648 – Cisco IOx for IOS Software Guest OS Unauthorized Access Vulnerability
CVE-2019-12647 – Cisco IOS and IOS XE Software IP Ident Denial of Service Vulnerability
CVE-2019-12654 – Cisco IOS and IOS XE Software Session Initiation Protocol Denial of Service Vulnerability
CVE-2019-12649 – Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability
CVE-2019-12658 – Cisco IOS XE Software Filesystem Exhaustion Denial of Service Vulnerability
CVE-2019-12655 – Cisco IOS XE Software FTP Application Layer Gateway for NAT, NAT64, and ZBFW Denial of Service Vulnerability
CVE-2019-12646 – Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway Denial of Service Vulnerability
CVE-2019-12653 – Cisco IOS XE Software Raw Socket Transport Denial of Service Vulnerability
CVE-2019-12657 – Cisco IOS XE Software Unified Threat Defense Denial of Service Vulnerability
CVE-2019-12650, CVE-2019-12651 – Cisco IOS XE Software Web UI Command Injection Vulnerabilities
CVE-2019-12656 – Cisco IOx Application Environment Denial of Service Vulnerability
Of these, the CVE-2019-12648 vulnerability discovered in the IOx application environment for IOS has a CVSS 3.0 score of 9.9 out of a possible 10. This makes it the most dangerous one of the flaws listed above. It is described as a vulnerability in the IOx application environment for Cisco IOS Software, which could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device.
Cisco is advising administrators to review which versions of Cisco IOS and IOS XE their devices are running to make sure thesy have been updated to versions that address the vulnerabilities. Have a look at the official advisory for more information.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: