Cisco Patches Critical Flaw That Allowed Root Access To Guest OS

Cisco users are being urged to patch now after the networking giant revealed a critical vulnerability that could allow remote attackers to access the Guest Operating System (Guest OS) as the root user.

The vulnerability concerns Cisco IOS software and the improper access control flaw is named as CVE-2019-12648.

CVE-2019-12648 affects Cisco 1000 Series Connected Grid Routers and Cisco 800 Series Industrial Integrated Services Routers, which are running vulnerable releases of Cisco IOS Software with the Guest OS installed.

Cisco flaw

Cisco issued an update about the matter as part of its semi-annual Cisco IOS and IOS XE Software security advisory.

The advisory includes details of 12 Cisco security advisories that describe 13 vulnerabilities in Cisco IOS Software and Cisco IOS XE Software.

Cisco said that it has released software updates that address these vulnerabilities.

“All vulnerabilities have a Security Impact Rating (SIR) of High,” warned the networking giant. “Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorised access to, conduct a command injection attack on, or cause a denial of service (DoS) condition on an affected device.”

Two of the vulnerabilities affect Cisco IOS Software and eight of the vulnerabilities affect Cisco IOS XE Software.

Concerning the CVE-2019-12648 flaw, Cisco said “a vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorised access to the Guest Operating System (Guest OS) running on an affected device.”

“The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts,” said Cisco.

“An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials,” it added. “An exploit could allow the attacker to gain unauthorised access to the Guest OS as a root user.”

Past issues

Cisco issues patches as soon as it becomes aware of flaws. In June this year for example Cisco issued two advisories for facilities managers, over security vulnerabilities found in its data centre equipment.

The first patch concerned a critical flaw found in its Digital Network Architecture (DNA) Center appliance, and the second (a less serious flaw) affected the command-line interface of Cisco’s SD-WAN Solution.

In September 2018 it patched its Video Surveillance Manager software to fix a bug involving root account credentials that were mistakenly left hard-coded into devices.

Cisco flaws can be very serious, due to the centralised use the networking equipment is often used for.

In 2018 for example Iran warned that “advanced actors” had exploited a flaw with Cisco routers to launch an attack that apparently hit 200,000 routers around the world.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

2 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

2 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

3 days ago