A number of high-severity vulnerabilities were unearthed in Cisco IOS and IOS XE network automation software. One of the flaws affects the company’s industrial and grid routers, making the impact incomprehensible.
Severe Cisco IOS and IOS XE Vulnerabilities Discovered
According to the official advisory, all of these vulnerabilities have a Security Impact Rating (SIR) of High. Successful exploitation could allow an attacker to gain unauthorized access, carry out a command injection attack, or cause a denial of service (DoS) condition on an affected device.
It is noteworthy that two of the vulnerabilities affect both Cisco IOS Software and Cisco IOS XE Software. Eight of the vulnerabilities affect Cisco IOS XE Software. One of the vulnerabilities affects the Cisco IOx application environment. The good news is that none of them affect Cisco IOS XR Software or Cisco NX-OS Software, the company said.
Here’s a list of the vulnerabilities:
CVE-2019-12652 – Cisco Catalyst 4000 Series Switches TCP Denial of Service Vulnerability
CVE-2019-12648 – Cisco IOx for IOS Software Guest OS Unauthorized Access Vulnerability
CVE-2019-12647 – Cisco IOS and IOS XE Software IP Ident Denial of Service Vulnerability
CVE-2019-12654 – Cisco IOS and IOS XE Software Session Initiation Protocol Denial of Service Vulnerability
CVE-2019-12649 – Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability
CVE-2019-12658 – Cisco IOS XE Software Filesystem Exhaustion Denial of Service Vulnerability
CVE-2019-12655 – Cisco IOS XE Software FTP Application Layer Gateway for NAT, NAT64, and ZBFW Denial of Service Vulnerability
CVE-2019-12646 – Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway Denial of Service Vulnerability
CVE-2019-12653 – Cisco IOS XE Software Raw Socket Transport Denial of Service Vulnerability
CVE-2019-12657 – Cisco IOS XE Software Unified Threat Defense Denial of Service Vulnerability
CVE-2019-12650, CVE-2019-12651 – Cisco IOS XE Software Web UI Command Injection Vulnerabilities
CVE-2019-12656 – Cisco IOx Application Environment Denial of Service Vulnerability
Of these, the CVE-2019-12648 vulnerability discovered in the IOx application environment for IOS has a CVSS 3.0 score of 9.9 out of a possible 10. This makes it the most dangerous one of the flaws listed above. It is described as a vulnerability in the IOx application environment for Cisco IOS Software, which could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device.
Cisco is advising administrators to review which versions of Cisco IOS and IOS XE their devices are running to make sure thesy have been updated to versions that address the vulnerabilities. Have a look at the official advisory for more information.