Cisco Patches 29 Vulnerabilities and a Critical Flaw in ASR 9000 Routers

Cisco Patches 29 Vulnerabilities and a Critical Flaw in ASR 9000 Routers

April 23, 2019 Off By Hoofer

Written by David Marshall

Cisco’s latest round of security updates addresses 29 vulnerabilities in multiple Cisco products that could allow a remote attacker to take control of an affected system.

Administrators in charge of Cisco ASR 9000 Series Aggregation Services Routers have been instructed to urgently address the flaw as soon as possible.  Tracked as CVE-2019-1710, it features a CVSS score of 9.8 out of 10, the vulnerability could allow an unauthenticated, remote attacker to access internal applications running on the sysadmin virtual machine (VM).

ASR flaw CVE-2019-1710 is reported as a “vulnerability in the sysadmin virtual machine (VM) on Cisco ASR 9000 Series Aggregation Services Routers running Cisco IOS XR 64-bit Software” and it “could allow an unauthenticated, remote attacker to access internal applications running on the sysadmin VM,” according to a security update made on April 17th.

The vulnerability is caused by an incorrect isolation of the secondary management interface from internal sysadmin applications.  Only ASR 9000 routers that have the secondary management interface (physically MGT LAN 1 on the route switch processor (RSP)) connected and configured are affected.

“An attacker could exploit this vulnerability by connecting to one of the listening internal applications.  A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device,” Cisco notes in an advisory.

The best way to address the flaw is to install the latest version of the IOS XR firmware (6.5.3 or 7.0.1).  The update is available for free to organizations running a supported and previously or currently licensed version of IOS.

Admins who are unable to get the patch can also lock down their routers by editing the calvados_bootstrap.cfg file within the sysadmin VM:

#CTRL_VRF=0
#MGMT_VRF=2

Should be changed to

CTRL_VRF=0
MGMT_VRF=2


Cisco also released fixes for 6 high-severity bugs in Inter-Access Point Protocol (IAPP) messages by Wireless LAN Controller (WLC) software, and in the administrative GUI configuration and the web-based management interface of WLC software, as well as in the phone book feature of Expressway Series and TelePresence Video Communication Server (VCS), and the development shell authentication for Aironet Series Access Points running the AP-COS operating system.

A total of 23 medium-severity flaws were also addressed, impacting WLC software, the URL block page of Cisco Umbrella, UCS B-Series Blade Servers, Unified Communications Manager (Unified CM), DNA Center, Registered Envelope Service, Prime Network Registrar, Identity Services Engine (ISE), ASR 9000 routers, IOS XR Software, Expressway Series and TelePresence VCS, Email Security Appliance (ESA), Firepower Management Center (FMC), Directory Connector, and Aironet Series Access Points.

Information on the addressed vulnerabilities, including their CVEs and CVSS scores, can be found on Cisco’s security center portal.

##

About the Author

David Marshall is an industry recognized virtualization and cloud computing expert, an eleven time recipient of the VMware vExpert distinction, and has been heavily involved in the industry for the past 20 years.  To help solve industry challenges, he co-founded and helped start several successful virtualization software companies such as ProTier, Surgient, Hyper9 and Vertiscale. He also spent a number of years transforming desktop virtualization while at Virtual Bridges.

David is also a co-author of two very popular server virtualization books and the Technical Editor on Wiley’s “Virtualization for Dummies” and “VMware VI3 for Dummies” books.  David authored countless articles for a number of well known technical magazines, including: InfoWorld, Virtual-Strategy and TechTarget.  In 2004, he founded the oldest independent virtualization and cloud computing news site, VMblog.com, which he still operates today.

Follow David Marshall

Twitter: @vmblog
LinkedIn: https://www.linkedin.com/in/davidmarshall
Blog: http://vmblog.com