Tag Archives: Cisco IOS XE

Blog Post Shout Out: Cisco IOS XE and Drupal Security Updates

I wish to provide a respectful shout to the following security advisories and news articles for their coverage of critical security vulnerabilities within Cisco IOS XE and the Drupal CMS (defined) released on the 28th and 29th of March respectively.

The backdoor (defined) account being remediated within the Cisco IOS XE update could have allowed an unauthenticated attack to remotely access the Cisco router or an affected switch and carry out any action allowed by privilege level 15

Meanwhile the Drupal vulnerability (dubbed “Drupalgeddon2”) is rated as highly critical since the vulnerability is both remotely exploitable and easy for an attacker to leverage allowing the attacker to carry out any action they choose.

Please follow the advice within the below linked to advisories and update any affected installations of these products that your organisation may have:

March 2018 Semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication

Cisco Removes Backdoor Account from IOS XE Software (includes mitigations if patching is not possible) by Catalin Cimpanu (Bleeping Computer)

Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002

Drupal Issues Highly Critical Patch: Over 1m Sites Vulnerable by Tom Spring (Kaspersky ThreatPost)

Thank you.

Cisco Releases Scheduled Security Updates For IOS and IOS XE

Earlier this week Cisco released security updates to address authentication bypass and denial of service (defined) security vulnerabilities within Cisco IOS and IOS XE.

Why Should These Issues Be Considered Important?
The SSHv2 RSA authentication bypass vulnerability could allow an unauthenticated remote attacker to obtain the access privileges of the logged in user or the privileges of the Virtual Teletype (VTY) line which could be admin privileges. The attacker would however need to know a valid user name and possess a specifically crafted private key. The only workaround to this issue is to disable RSA based SSHv2 authentication.

Meanwhile a vulnerability in the processing of IPv4 packets that require Network Address Translation (NAT) and Multiprotocol Label Switching (MPLS) services could allow an unauthenticated remote attacker to cause your Cisco IOS XE device to stop functioning (namely a denial of service attack. The attacker would only need to send the device a specifically crafted IPv4 (defined) packet.

This flaws affects the following products:

  • Cisco ASR 1000 Series
  • Cisco ISR 4300 Series
  • Cisco ISR 4400 Series
  • Cisco Cloud Services 1000v Series Routers

Separately 2 vulnerabilities in the IPv6 snooping feature from the first-hop security features in Cisco IOS and IOS XE Software could also cause a denial of service issue. For an attacker to exploit the insufficient validation of IPv6 ND packets they would only need to send it a malformed IPv6 packet. For the second flaw, the insufficient Control Plane Protection (CPPr) against specific IPv6 ND packets an attacker would need to send a large amount of specifically crafted IPv6 ND packets to a vulnerable device.

For the vulnerabilities involving the processing of IPv4 and IPv6 (defined) packets, no workarounds are available (apart from disabling the IPv6 snooping feature) to mitigate the 2x IPv6 flaws until the appropriate security updates are installed.

The remaining vulnerabilities affect any Cisco device running IOS and/or IOS XE. As you can see, only the access bypass issue is likely to pose a challenge to a determined adversary, all other issues discussed above could potentially be easily exploited.

How Can I Protect Myself From These Issues?
Within the Cisco security advisory you can use the link provided to access the Cisco IOS Software Checker to determine if your Cisco IOS device is vulnerable to these issues. This security advisory also provides the links to the individual advisories for each vulnerability which contain the steps to install the appropriate updates.

Thank you.