CVE-2019-12643: Cisco REST Application Programming Interface (API) Vulnerability Allows Remote, Unauthorized, Privileged Actions

Introduction

According to Cisco’s official site, Cisco IOS XE is, “an open and flexible operating system optimized for a new era of enterprise networks.” The description continues as an open, standards-based software solution that is programmable, easy to integrate and upgrade, and designed with security in mind. Devices that support Cisco IOS XE also have the option to install and enable the Cisco REST API application, which operates in a virtual container. The REST API is the interface into the management information tree (MIT), which uses REST architecture, and allows, “manipulation of the object model state.” Basically, it’s an alternative to the default command line interface when working with device functions. The API processes HTTP and HTTPS requests that contain JavaScript Object Notation (JSON) or Extensible Markup Language (XML) documents, in any programming language, and uses a token ID authentication system. While the REST API may be a useful interface when working with Cisco devices, a critical vulnerability in the API can cause a remote attacker to bypass authentication measures and execute unauthorized, privileged actions on network devices.

Vulnerability

According to a security report released by Cisco on 28 August 2019, the vulnerability in the REST API is caused by an “improper check performed by the area of code that manages the REST API authentication service.” Thusly, in order to successfully exploit this vulnerability, a remote attacker passes malicious HTTP requests to the API and obtains an authorized user’s token ID. In the same report, four types of devices were confirmed to be vulnerable:

• Cisco 4000 Series Integrated Services Routers
• Cisco ASR 1000 Series Aggregation Services Routers
• Cisco Cloud Services Router 1000V Series
• Cisco Integrated Services Virtual Router

Impact

If the attacker obtains a token ID, then that malicious actor can bypass authentication measures and execute unauthorized, privileged actions on the network device. Due to the relative simplicity of exploitation, in terms of attack vector, complexity and threat to confidentiality, integrity, and availability, the CVSS score for this CVE is 10.0 critical. Once an attacker gains access from a stolen token ID, the full impact of the attack is limited only to the attacker’s goals and intentions. 

Mitigation

Fortunately, a specific set of requirements need to be met in order for the device to be vulnerable. The device must:

• Be running an affected version of Cisco IOS XE
• Have installed and enabled an affected version of the Cisco REST API virtual service container
• Already have an authorized user with level 15 admin credentials authenticated to the API

The Cisco REST API is an alternative to the default Cisco IOS XE CLI, which means it is not “on” by default. Additionally, this vulnerability encompasses malicious HTTP requests, but the API does not accept HTTP requests by default (according to Cisco’s REST API documentation). Finally, Cisco has also released software patches for both the REST API and IOS XE. However, details and patches appear to be restricted to customers who have service contracts directly with Cisco, as these products are enterprise-level software solutions. Version 16.09.03 update for the REST API was confirmed through Cisco’s official statement on the vulnerability, but an easier way to discover and patch vulnerabilities in Cisco devices is by downloading their IOS Software Checker, which checks software versions against versions found in Cisco’s security advisories, and returns the earliest version releases that patch the issues found.

References

“Cisco APIC REST API Configuration Guide.” Retrieved from: www.cisco.com. 01 October 2019.

“Cisco IOS XE 16: Secure, Open, and Flexible.“ Retrieved from: www.cisco.com. 30 September 2019.

“Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability.” Retrieved from: tools.cisco.com. 01 October 2019.

“CVE-2019-12643 Detail.” Retrieved from: nvd.nist.gov/vuln. 30 September 2019.