Cisco warning: These routers running IOS have 9.9/10-severity security flaw

Cisco warning: These routers running IOS have 9.9/10-severity security flaw

Cisco has disclosed over a dozen high-severity vulnerabilities affecting the widely deployed Cisco IOS and IOS XE network automation software, including a nasty one affecting its industrial routers and grid routers.

The company is also warning customers to disable an L2 traceroute feature in IOS for which there is public exploit code. 

The bug is due to an incorrect role-based access control (RBAC) evaluation for controlling access to the guest OS in IOS.

An attacker would need to be authenticated to exploit the bug. However, due to the RBAC issue, the bug allows a low-privilege user to request access to a guest OS – such as Linux instance running on a VM within an affected device – that should be restricted to administrative accounts. These are defined in IOS as 'level 15' accounts. An attacker can exploit the bug to gain access to the OS as root user.    

There are no workarounds, so customers will need to ensure they're running a fixed version of IOS. However, if an upgrade can't be done immediately, Cisco suggests that disabling the guest OS "eliminates the attack vector" and so may be a suitable mitigation. Cisco offers instructions for uninstalling guest OS in its advisory. 

Cisco has also published an informational advisory for an issue in the Layer 2 network traceroute utility in IOS and IOS XE. The feature is enabled by default on Cisco Catalyst switches. The company notes it is aware of public exploit code available for this issue.

Cisco is urging admins to review which versions of Cisco IOS and IOS XE their devices are running to ensure these have been updated to versions that address 13 separate flaws.

By design, Cisco notes, the L2 traceroute server doesn't require authentication and allows an attacker to collect a whole lot of information about an affected device, including the hostname, hardware model, configured interfaces and IP addresses, VLAN database, MAC address table, Layer 2 filtering table, and Cisco Discovery Protocol neighbor information. 

"Reading this information from multiple switches in the network could allow an attacker to build a complete L2 topology map of that network," Cisco warns. 

Cisco has provided information about how to secure the L2 traceroute server in the advisory. The advice includes, among other things, disabling the server or upgrading to a version of IOS or IOS XE that has it disabled by default. 

However, upgrading to a version with it disabled won't be possible until later this year. These versions include Cisco IOS 15.2(7)E1 December 2019, and later; Cisco IOS XE 3.11.1E December 2019, and later; and Cisco IOS XE 17.2.1 March 2020, and later. 

In the meantime, there are also options to restrict access through control-plane policing or access control lists.