Update now: Cisco warns over 25 high-impact flaws in its IOS and IOS XE software
Cisco has alerted customers using its IOS and ISO XE networking gear software to apply updates for 34 flaws across 25 high-severity security advisories.
The large number of flaws affecting ISO and ISO XE are due to the advisories being announced as part of Cisco’s semi-annual release for the widely used software for Cisco routers and network switches, which happens in April and September.
Cisco’s IOS stands for Internetworking Operating System and is based on Linux.
There are two advisories with a severity score of 8.8, the highest of this release’s 25 high-severity advisories. One, tracked as CVE-2020-3400, is an authorization bypass vulnerability in the Cisco IOS XE software web user interface (UI) that may allow a remote attacker with valid credentials to use part of the UI. It’s due to insufficient authorization of web UI access requests and could allow a user with read-only rights to perform actions with Admin user rights.
SEE: Network security policy (TechRepublic Premium)
“An attacker could exploit this vulnerability by sending a crafted HTTP request to the web UI. A successful exploit could allow the attacker to utilize parts of the web UI for which they are not authorized,” explains Cisco.
While there’s no workaround Cisco notes that disabling the HTTP Server feature blocks the attack vector for this bug and maybe a suitable mitigation until affected devices are upgraded.
The second advisory concerns two privilege escalation vulnerabilities in the web management framework of IOS XE. These are tracked as CVE-2020-3141 and CVE-2020-3425 and can allow an authenticated, remote attacker with read-only privileges to elevate privileges to the level of an administrator user on an affected device.
Cisco notes attackers don’t need to exploit both of the bugs to attack an affected device. CVE-2020-3141 is due to a lack of input and validation-checking mechanisms for certain HTTP requests to APIs on an affected device.
“An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device. An exploit could allow the attacker as a read-only user to execute CLI commands or configuration changes as if they were an administrative user,” Cisco notes.
CVE-2020-3425 is found in the authentication controls of the web management framework, which could allow an attacker to send a crafted API call and a privileged authentication token that gives them administrator privileges on the affected device.
Once again, there is no workaround. However, Cisco notes that “disabling the HTTP Server feature eliminates the attack vector for these vulnerabilities and may be a suitable mitigation until affected devices can be upgraded.”
Other advisories with a severity score of 8.6 include denial of service (DoS) vulnerabilities affecting various products running IOS XE, including: Catalyst 9800 Series and Cisco AireOS software for WLC Flexible NetFlow Version 9; Catalyst 9800 Series wireless controllers multicast DNS; Cisco 4461 integrated Services Routers; cBR-8 Converged Broadband Routers DHCP; a IOS XE software IP service-level agreements; Software Zone-Based Firewall; and the wireless controller software for the Catalyst 9000 Family CAPWAP.