Cisco Patches Critical Flaw That Allowed Root Access To Guest OS

Cisco users are being urged to patch now after the networking giant revealed a critical vulnerability that could allow remote attackers to access the Guest Operating System (Guest OS) as the root user.

The vulnerability concerns Cisco IOS software and the improper access control flaw is named as CVE-2019-12648.

CVE-2019-12648 affects Cisco 1000 Series Connected Grid Routers and Cisco 800 Series Industrial Integrated Services Routers, which are running vulnerable releases of Cisco IOS Software with the Guest OS installed.

Cisco flaw

Cisco issued an update about the matter as part of its semi-annual Cisco IOS and IOS XE Software security advisory.

The advisory includes details of 12 Cisco security advisories that describe 13 vulnerabilities in Cisco IOS Software and Cisco IOS XE Software.

Cisco said that it has released software updates that address these vulnerabilities.

“All vulnerabilities have a Security Impact Rating (SIR) of High,” warned the networking giant. “Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorised access to, conduct a command injection attack on, or cause a denial of service (DoS) condition on an affected device.”

Two of the vulnerabilities affect Cisco IOS Software and eight of the vulnerabilities affect Cisco IOS XE Software.

Concerning the CVE-2019-12648 flaw, Cisco said “a vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorised access to the Guest Operating System (Guest OS) running on an affected device.”

“The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts,” said Cisco.

“An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials,” it added. “An exploit could allow the attacker to gain unauthorised access to the Guest OS as a root user.”

Past issues

Cisco issues patches as soon as it becomes aware of flaws. In June this year for example Cisco issued two advisories for facilities managers, over security vulnerabilities found in its data centre equipment.

The first patch concerned a critical flaw found in its Digital Network Architecture (DNA) Center appliance, and the second (a less serious flaw) affected the command-line interface of Cisco’s SD-WAN Solution.

In September 2018 it patched its Video Surveillance Manager software to fix a bug involving root account credentials that were mistakenly left hard-coded into devices.

Cisco flaws can be very serious, due to the centralised use the networking equipment is often used for.

In 2018 for example Iran warned that “advanced actors” had exploited a flaw with Cisco routers to launch an attack that apparently hit 200,000 routers around the world.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Google Goes On Trial In US Over Ad Tech Dominance

US trial of Google over ad tech market power begins, with forced divestiture of ad…

13 hours ago

US DOJ To Propose Google Penalties By End Of Year

US judge gives Justice Department until end of year to formulate plan for Google punishment…

21 hours ago

Trump ‘To Appoint Musk’ To Gov’t Efficiency Role If Elected

Donald Trump says he would appoint Elon Musk to lead government efficiency commission if elected,…

21 hours ago

Australian Official Received Death Threats After Musk Criticism

Australian eSafety commissioner says she received death threats after Musk criticised her for trying to…

22 hours ago

Man Arrested After ‘Earning Millions’ From AI Music Tracks

US man allegedly earned more than $10m in royalties streaming hundreds of thousands of fake…

22 hours ago

NCSC Calls Out Cyber-Attacks From Russia’s GRU

UK's NCSC and allies outline campaign of attacks from unit of Russia's military intelligence service…

23 hours ago