Cisco alert: Patch this dangerous bug open to remote attacks via malicious ads

Cisco discloses a new high-severity bug in the web interface of its IOS XE software for switches and routers.
Written by Liam Tung, Contributing Writer

Cisco has patched a high-severity bug in the web-based user interface of its IOS XE software. The flaw lets anyone on the internet stealthily break into internal networks without a password. 

This newly disclosed issue, tracked as CVE-2019-1904, can be exploited by a remote attacker using a cross-site request forgery (CSRF) attack on affected systems. 

SEE: 10 tips for new cybersecurity pros (free PDF)

Cisco IOS XE is the Linux-based version of the company's internetworking operating system (IOS), used on numerous enterprise routers and Cisco Catalyst switches. Cisco confirmed the bug doesn't affect IOS, IOS XR, or NX-OS variants.   

"The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link," Cisco explains. 

In an attack scenario, a CSRF exploit could be hidden inside malicious ads, lending itself to weaponization in an exploit kit. The appeal of exploiting this flaw is that it would allow an attacker to target internal networks or admins without setting off any alarms.

An attacker who successfully exploits the flaw can perform any actions they want with the same privilege level of the affected user. 

"If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device," Cisco warns. 

The only way to address this vulnerability is to install software updates Cisco has made available. And those updates are only available to customers with a valid Cisco license.  

The bug was discovered by researchers at Red Balloon Security, the firm that discovered Thangrycat, a dire bug disclosed in May that affected Cisco's Trust Anchor module (TAm), a proprietary hardware security chip present in Cisco gear since 2013. 

The firm also found a separate remote code execution flaw in the web interface of IOS XE. 

While there is no workaround for the new bug, disabling the HTTP Server feature closes this attack vector and "may be a suitable mitigation" until affected devices are running a fixed version, according to Cisco.  

Cisco notes that there is proof-of-concept exploit code for this IOS XE vulnerability. However, it adds there's no indication yet that the exploit code is publicly available. 

More on Cisco and security

Editorial standards