Cisco Patches Critical Flaw That Allowed Root Access To Guest OS

Cisco users are being urged to patch now after the networking giant revealed a critical vulnerability that could allow remote attackers to access the Guest Operating System (Guest OS) as the root user.

The vulnerability concerns Cisco IOS software and the improper access control flaw is named as CVE-2019-12648.

CVE-2019-12648 affects Cisco 1000 Series Connected Grid Routers and Cisco 800 Series Industrial Integrated Services Routers, which are running vulnerable releases of Cisco IOS Software with the Guest OS installed.

Cisco flaw

Cisco issued an update about the matter as part of its semi-annual Cisco IOS and IOS XE Software security advisory.

The advisory includes details of 12 Cisco security advisories that describe 13 vulnerabilities in Cisco IOS Software and Cisco IOS XE Software.

Cisco said that it has released software updates that address these vulnerabilities.

“All vulnerabilities have a Security Impact Rating (SIR) of High,” warned the networking giant. “Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorised access to, conduct a command injection attack on, or cause a denial of service (DoS) condition on an affected device.”

Two of the vulnerabilities affect Cisco IOS Software and eight of the vulnerabilities affect Cisco IOS XE Software.

Concerning the CVE-2019-12648 flaw, Cisco said “a vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorised access to the Guest Operating System (Guest OS) running on an affected device.”

“The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts,” said Cisco.

“An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials,” it added. “An exploit could allow the attacker to gain unauthorised access to the Guest OS as a root user.”

Past issues

Cisco issues patches as soon as it becomes aware of flaws. In June this year for example Cisco issued two advisories for facilities managers, over security vulnerabilities found in its data centre equipment.

The first patch concerned a critical flaw found in its Digital Network Architecture (DNA) Center appliance, and the second (a less serious flaw) affected the command-line interface of Cisco’s SD-WAN Solution.

In September 2018 it patched its Video Surveillance Manager software to fix a bug involving root account credentials that were mistakenly left hard-coded into devices.

Cisco flaws can be very serious, due to the centralised use the networking equipment is often used for.

In 2018 for example Iran warned that “advanced actors” had exploited a flaw with Cisco routers to launch an attack that apparently hit 200,000 routers around the world.

Do you know all about security? Try our quiz!