Cisco has warned of a serious vulnerability discovered in Cisco IOS XE software. The bug that existed in its web interface could allow a remote attacker to infiltrate the system through malicious ads.
Vulnerability In Cisco IOS XE Software Web Interface
A security vulnerability in Cisco IOS XE software web interface could allow remote attacks on a target system. The flaw in the software’s web UI could allow an unauthenticated attacker to utilise CSRF based attacks.
To exploit the vulnerability an attacker would need to trick the victim into following a malicious link. Describing the flaw in detail, Cisco stated in their security advisory:
The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link.
Once clicked, the attacker could then gain user access to the target system without authentication, and could perform various actions.
A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device.
The vulnerability, CVE-2019-1904, received a high-severity rating with a CVSS base score of 8.8.
Cisco Patched The Flaw
As elaborated, the vulnerability affected the Cisco devices running a vulnerable version of the software with HTTP Server enabled. Yet, the products remaining unaffected by this bug include Cisco IOS Software, Cisco NX-OS Software, or Cisco IOS XR Software.
The vendors confirmed no workaround exists to address the flaw. Yet, as possible mitigation, they recommend disabling HTTP Server feature.
Nonetheless, they have released fixes with software updates as well for the users. So, the suggested mitigation shall work to protect from this vulnerability until the users update their systems.
Take your time to comment on this article.