Vuln. ranked 10 on the CVSS system
Businesses should urgently check which routers their networks are using and look to patch them after a critical Cisco vulnerability was identified.
The vulnerability has the highest possible severity rating of 10 on the CVSS system. Its exploitation would let an attacker easily grab the credentials of an authenticated user and use them to escalate attacks on sensitive infrastructure.
The issue affects four Cisco products, which also need to be running its IOS XE Software for the attack to be effective, the company said in a security update.
The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service.
Critical Cisco Vulnerability Affects These Products
The following four Cisco routers are affected:
- The Cisco 4000 Series Integrated Services Routers
- The Cisco ASR 1000 Series Aggregation Services Routers
- The Cisco Cloud Services Router 1000V Series
- The Cisco Integrated Services Virtual Router
This vulnerability resides in the Cisco REST API virtual service container.
The networking firm said it has released a fixed version of the REST API virtual service container, along with a hardened Cisco IOS XE Software release that prevents installation or activation of a vulnerable container on a device.
Animesh Jain, Signature Engineer at Qualys, said: “Detecting Cisco REST API Virtual Service Container is enabled on the Device – router#show virtual-service detail | include Restful Restful API Enabled, UP port: 55443
“If this command does not exist, produces an empty output, or if the string Enabled, UP is absent, the device is not affected by the vulnerability.”
The team at Qualys advocates carrying out environmental scans for companies using Cisco routers to check that they don’t have devices with the issues in place; if they do have routers with affected software, these should be updated as quickly as possible.
“Putting a full IT asset inventory process in place, building up accurate data on assets that is kept up to date in real time, helps teams be more proactive in situations like these too. Free tools are available to help companies do this in any case.”