Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3615.2
Multiple vulnerabilities patched in Cisco IOS XE
1 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XE
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Root Compromise -- Existing Account
Increased Privileges -- Console/Physical
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-12672 CVE-2019-12671 CVE-2019-12670
CVE-2019-12667 CVE-2019-12666 CVE-2019-12664
CVE-2019-12663 CVE-2019-12661 CVE-2019-12660
CVE-2019-12659 CVE-2019-12658 CVE-2019-12657
CVE-2019-12655 CVE-2019-12653 CVE-2019-12651
CVE-2019-12650 CVE-2019-12649 CVE-2019-12646
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-awr
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iosxe-codeexec
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iosxe-ctbypass
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iosxe-digsig-bypass
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ftp
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iosxe-fsdos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-httpserv-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iox-gs
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-isdn-data-leak
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-sip-alg
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-dt
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-rawtcp-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-xss
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ctspac-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-utd
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-vman-cmd-injection
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-webui-cmd-injection
Comment: This bulletin contains seventeen (17) Cisco security advisories.
Revision History: October 1 2019: CLI command output update
September 26 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XE Software Web UI Command Injection Vulnerabilities
Priority: High
Advisory ID: cisco-sa-20190925-webui-cmd-injection
First Published: 2019 September 25 16:00 GMT
Last Updated: 2019 September 30 15:16 GMT
Version 1.1: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvo61821CSCvp78858CSCvp95724
CVE-2019-12650
CVE-2019-12651
CWE-77
CVSS Score:
7.6 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H/E:X/RL:X/RC:X
Summary
o Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco
IOS XE Software could allow an authenticated, remote attacker to execute
commands with elevated privileges on the affected device.
For more information about these vulnerabilities, see the Details section
of this advisory.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190925-webui-cmd-injection
This advisory is part of the September 25, 2019, release of the Cisco IOS
and IOS XE Software Security Advisory Bundled Publication, which includes
12 Cisco Security Advisories that describe 13 vulnerabilities. For a
complete list of the advisories and links to them, see Cisco Event
Response: September 2019 Semiannual Cisco IOS and IOS XE Software Security
Advisory Bundled Publication .
Affected Products
o Vulnerable Products
These vulnerabilities affect Cisco devices that are running a vulnerable
IOS XE Software release with the HTTP Server feature enabled.
The default state of the HTTP Server feature is version dependent.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Determining the HTTP Server Configuration
To determine whether the HTTP Server feature is enabled for a device,
administrators can log in to the device and use the show running-config |
include ip http server|secure-server command in the CLI to check for the
presence of the ip http server command or the ip http secure-server command
in the global configuration. If either command is present and configured,
the HTTP Server feature is enabled for the device.
The following example shows the output of the show running-config | include
ip http server|secure-server command for a device that has the HTTP Server
feature enabled:
Router# show running-config | include ip http server|secure-server
ip http server
ip http secure-server
The presence of either command in the device configuration indicates that
the HTTP Server feature is enabled.
If the output from the previous command also contains:
ip http active-session-modules none
ip http secure-active-session-modules none
The device is not affected by the vulnerabilities described in this
advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Details
o Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco
IOS XE Software could allow an authenticated attacker to execute arbitrary
commands with elevated privileges on an affected device.
The vulnerabilities are not dependent on one another; exploitation of one
of the vulnerabilities is not required to exploit the other vulnerability.
In addition, a software release that is affected by one of the
vulnerabilities may not be affected by the other vulnerability.
Details about the vulnerabilities are as follows.
Cisco IOS XE Software Web UI Low Privileged Command Injection Vulnerability
A vulnerability in the web-based user interface (Web UI) of Cisco IOS XE
Software could allow an authenticated but low-privileged attacker to
execute Cisco IOS commands with elevated privileges (level 15) on an
affected device.
The vulnerability exists because the affected software improperly sanitizes
user-supplied input. An attacker could exploit this vulnerability by
supplying a crafted input parameter on a form in the Web UI and then
submitting that form. A successful exploit could allow the attacker to
execute arbitrary Cisco IOS commands as a privilege level 15 user.
The Common Vulnerabilities and Exposures (CVE) ID for this vulnerability
is: CVE-2019-12651
Cisco IOS XE Software WebUI Privileged Command Injection Vulnerability
A vulnerability in the web-based user interface (Web UI) of Cisco IOS XE
Software could allow an authenticated, remote attacker to execute commands
on the underlying Linux shell of an affected device with root privileges.
The vulnerability exists because the affected software improperly sanitizes
user-supplied input. An attacker who has valid administrator-level access
(level 15) to an affected device could exploit this vulnerability by
supplying a crafted input parameter on a form in the Web UI and then
submitting that form. A successful exploit could allow the attacker to run
arbitrary commands on the device with root privileges, which may lead to
complete system compromise.
The Common Vulnerabilities and Exposures (CVE) ID for this vulnerability
is: CVE-2019-12650
Workarounds
o There are no workarounds that address these vulnerabilities.
Disabling the HTTP Server feature eliminates the attack vector for these
vulnerabilities and may be a suitable mitigation until affected devices can
be upgraded. Administrators can disable the HTTP Server feature by using
the no ip http server or no ip http secure-server command in global
configuration mode. If both http server and http-secure server are in use,
then both commands are required to disable the HTTP Server feature.
Limiting access to the HTTP Server to trusted networks will limit exposure
to these vulnerabilities. The following example shows how to allow remote
access to the HTTP Server from the trusted 192.168.0.0/24 network:
!
ip http access-class 75
ip http secure-server
!
access-list 75 permit 192.168.0.0 0.0.0.255
access-list 75 deny any
!
Note : In newer versions of IOS XE Software, to apply the access list use
the ip http access-class ipv4 75 command for the previous example. Cisco
Guide to Harden Cisco IOS Devices provides additional information about how
to harden the device and secure management access.
Fixed Software
o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the most
recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco
IOS or IOS XE Software release-for example, 15.1(4)M2 or 3.13.8S -in the
following field:
[ ] [Check]
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes , Cisco IOS XE 3S
Release Notes , or Cisco IOS XE 3SG Release Notes , depending on the Cisco
IOS XE Software release.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank Tahir Khan of Verizon for finding and reporting
the vulnerability identified as CVE-2019-12651. The vulnerability
identified as CVE-2019-12650 was found by ASIG - XB of Cisco during
internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Action Links for This Advisory
o Snort Rule 50117
Snort Rule 50118
Snort Rule 51622
Snort Rule 51623
Snort Rule 51624
Snort Rule 51625
Related to This Advisory
o Cisco Event Response: September 2019 Semiannual Cisco IOS and IOS XE
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190925-webui-cmd-injection
Revision History
o +---------+-------------------+--------------+--------+-------------------+
| Version | Description | Section | Status | Date |
+---------+-------------------+--------------+--------+-------------------+
| 1.1 | CLI command | Vulnerable | Final | 2019-September-30 |
| | output update. | Products | | |
+---------+-------------------+--------------+--------+-------------------+
| 1.0 | Initial public | - | Final | 2019-September-25 |
| | release. | | | |
+---------+-------------------+--------------+--------+-------------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXZKscmaOgq3Tt24GAQhTnBAA1haQoTsFCS69+yMsZ+GK9Xo2Dli3PzlJ
Lc33DYAWHXZgDqgCND++chHDL/xOw5EFhj2BWyu1xaz5VR22VgIv7hZEOpxIq73f
If0Xi4cJF0/BN0abi5YjoxOQU0+xh3bQDTkxHvyT8CbUDBixT29oqREBi9QVkBIY
sl5N9cqaE6L396BBYtq0WO3H//XQtF8VDWK+hHHdRGuQdNsPYUS7MynNeBO1uBsp
0MzTWJwn3wDG5YLlbLcB6qQaZq2Nfa/eBEZ4+YLCOXXdd1PDuxabG7RKhNO8Xerl
ZJas6sIWbdKm0mythG2eoTmDJaW/Bmw9LFtje+P/YRbhy7Tvzh5U45IaYxMajlVD
4lJGEw3u1bgwz9Yp9i9NNdJeky2qh5A/mAhMkVIleOgKrUI6lpW9VYnf5tP8XGpF
DdGv69y1DTVGw3sXyOxkW91fn+3skRgkcirsVusq9r3VCghAmG8rmIXn9mL9622P
F+1NEJw0ovZOSAY6xH91nkMyVhLwT/0OuC7yY7lZ3/ZkDt1uKDffk0gwpfdaQp7S
iam53tCL5583a/K/4XN8ulHQqvBRQJ6fTKt6GDqWr+SoogEIWOWfdY0FpODILtEc
0hZAnr7edVpzLIekJA4PZ3DEFR6R3JYbYAlwsg6MuMwWIKkXjpTo9zu6lzv1/iEb
XGtNyCHTLBU=
=ptBg
-----END PGP SIGNATURE-----