Cisco has patched a high-severity vulnerability in its software for routers and switches, which could enable a remote attacker to reconfigure or execute commands on impacted devices.
IOS XE, a Linux-based version of Cisco’s Internetworking Operating System (IOS), is software for Cisco routers and switches. Products supported by IOS XE include enterprise switches (including Cisco’s Catalyst series), branch routers and edge routers including ASR 1013.
The high-severity vulnerability enables cross-site request forgery, an attack that forces an end user, once they click on a malicious link, to execute unwanted actions on a web application in which they’re currently authenticated.
“A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system,” according to Cisco’s Wednesday advisory.
The flaw (CVE-2019-1904) ranks 8.8 out of 10 on the CVSS scale. It is due to insufficient CSRF protections for the web UI on impacted devices, said Cisco.
An attacker could exploit the flaw by persuading a user of the web interface to follow a malicious link. Because the web UI is not protected from CSRF, the attacker could then perform arbitrary actions with the privilege level of the affected user.
“If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device,” according to Cisco.
The vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software with the HTTP Server feature enabled (The default state of the HTTP Server feature is version dependent according to Cisco). Cisco also offers an online tool that allows users to check whether their Cisco IOS software is vulnerable.
The flaw does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software, said Cisco.
The vulnerability comes a week after a high-severity bug was disclosed allowing remote attackers to hijack Cisco’s enterprise-class Industrial Network Director. The vulnerability was made public last Wednesday along with a patch; there are no workarounds for the bug and a software patch is required, Cisco said.
Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.
