Cisco Patches Critical Flaw That Allowed Root Access To Guest OS

Cisco users are being urged to patch now after the networking giant revealed a critical vulnerability that could allow remote attackers to access the Guest Operating System (Guest OS) as the root user.

The vulnerability concerns Cisco IOS software and the improper access control flaw is named as CVE-2019-12648.

CVE-2019-12648 affects Cisco 1000 Series Connected Grid Routers and Cisco 800 Series Industrial Integrated Services Routers, which are running vulnerable releases of Cisco IOS Software with the Guest OS installed.

Cisco flaw

Cisco issued an update about the matter as part of its semi-annual Cisco IOS and IOS XE Software security advisory.

The advisory includes details of 12 Cisco security advisories that describe 13 vulnerabilities in Cisco IOS Software and Cisco IOS XE Software.

Cisco said that it has released software updates that address these vulnerabilities.

“All vulnerabilities have a Security Impact Rating (SIR) of High,” warned the networking giant. “Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorised access to, conduct a command injection attack on, or cause a denial of service (DoS) condition on an affected device.”

Two of the vulnerabilities affect Cisco IOS Software and eight of the vulnerabilities affect Cisco IOS XE Software.

Concerning the CVE-2019-12648 flaw, Cisco said “a vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorised access to the Guest Operating System (Guest OS) running on an affected device.”

“The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts,” said Cisco.

“An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials,” it added. “An exploit could allow the attacker to gain unauthorised access to the Guest OS as a root user.”

Past issues

Cisco issues patches as soon as it becomes aware of flaws. In June this year for example Cisco issued two advisories for facilities managers, over security vulnerabilities found in its data centre equipment.

The first patch concerned a critical flaw found in its Digital Network Architecture (DNA) Center appliance, and the second (a less serious flaw) affected the command-line interface of Cisco’s SD-WAN Solution.

In September 2018 it patched its Video Surveillance Manager software to fix a bug involving root account credentials that were mistakenly left hard-coded into devices.

Cisco flaws can be very serious, due to the centralised use the networking equipment is often used for.

In 2018 for example Iran warned that “advanced actors” had exploited a flaw with Cisco routers to launch an attack that apparently hit 200,000 routers around the world.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

BT Eagle-i Seeks To Predict, Prevent Cyberattacks

Proactive security approach. New security platform from BT Security, dubbed 'Eagle-i', seeks to predict and…

2 days ago

Apple Risks South Korean Clash After Investigation Warning

South Korean government official warns of possible investigation into Apple's compliance with new App Store…

2 days ago

Moscow Metro Facial Recognition System For Speedy Payments

Privacy concern. Moscow's Metro system has launched 'Face Pay', a mass facial recognition system for…

3 days ago

US Army Delays $22 Billion Microsoft Augmented Reality Headsets

United States Army pushes back deployment date of Microsoft's augmented reality headsets, but insists it…

3 days ago

TSMC Confirms Chip Plant For Japan

Taiwanese chip giant TSMC confirms it will build a chip factory in Japan, that will…

3 days ago

GitLab Raises $800m In Successful Initial Public Offering

After a successful public debut that raised hundreds of millions of dollars, coding platform GitLab…

3 days ago