The networking giant is recommending that all admins review which versions of Cisco IOS and IOS XE their devices are running to make sure that they have been updated to versions that address the 13 separate flaws it discovered.
The 13 high-severity vulnerabilities disclosed by Cisco could give an attacker unauthorized access to an affected device, allow them to run a command-injection attack, or deplete a device's resources which would lead to a denial of service.
- Cisco fined for selling software with security flaws
- Cisco backs US GDPR calls
- Major security issues found in Cisco routers
The CVE-2019-12648 bug in the IOx application environment of IOS is the most severe and it affects large network operators who use the company's 800 Series Industrial Integrated Services Routers and its 1000 Series Connected Grid Routers. Luckily though, the bug is contained within a guest operating system running on a virtual machine of an affected IOS device. However, it can be remedied by upgrading to a fixed version of IOS but if this is not possible, Cisco suggests that users disable the guest OS and it provided instructions on how to uninstall it in its advisory.
Layer 2 network traceroute utility
Cisco has also published an advisory regarding an issue in the Layer 2 network traceroute utility in IOS and IOS XE. Cisco Catalyst switches have this feature enabled by default and according to the company, public exploit code is already available for this issue.
The L2 traacerout server does not require authentication by design and this means that an attacker can collect loads of information about an affected device including the hostname, hardware model, configured interfaces and IP addresses, VLAN database, Mac address, Layer 2 filtering table and Cisco Discovery Protocol neighbor information.
In its advisory (opens in new tab) regarding this issue, Cisco explained that: “Reading this information from multiple switches in the network could allow an attacker to build a complete L2 topology map of that network.”
To fix the issue, users can disable their L2 tracerouter server manually or upgrade to a version of IOS or IOS XE that has it disabled by default. However, the later won't be possible until later this year when Cisco releases updated versions of the software.
- We've also highlighted the best small business routers of 2019
Via ZDNet (opens in new tab)