Also credited is James Chambers, a researcher for Red Balloon Security. The bug was discovered during Cico's internal security testing.
Cisco ios xe vs ios code#
However, there is no information to indicate that the code is publicly available.
Cisco ios xe vs ios software#
To determine if a certain version of IOS XE is vulnerable to CVE-2019-1904, Cisco offers a software checker that identifies any security advisories from the company "that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory."Īn exploit has been developed to demonstrate the effect of the vulnerability. Since it depends on the user to be logged in, a hacker that fools an administrator into clicking the malicious link could modify the configuration, run commands, or reload the vulnerable devices. IOS XE, on the other hand, is a modular IOS architecture designed for the Cisco ASR platform. So if one module fails it does not affect the whole router unlike. XE is modulated so different processes are ran from different modules. IOS XE is primarly for the ASR router, which is the top of the line Cisco router designed for carrier class services. If both http server and http-secure server are in use, then both commands are required to disable the HTTP Server feature. IOS XR is a realtime Internetwork Operating System designed for Cisco's high-end carrier routing platforms such as the CNS-1 and the 12000. IOS is the base Cisco software that runs on the majority of routers and switches. The network equipment maker says that disabling the HTTP Server function may be adequate mitigation until upgrading the device is possible.Īdministrators can disable the HTTP Server feature by using the no ip http server or no ip http secure-server command in global configuration mode. This is possible on systems where the HTTP Server feature is active, a state that is not default across the various versions of the software. Successful exploitation of the bug enables attackers to run arbitrary actions on the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link," Cisco says in the advisory. "The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. It exists in the web-based user interface of the product. Identified as CVE-2019-1904, the vulnerability affects outdated versions of Cisco IOS XE and has a severity score of 8.8 out of 10. These attacks can be deployed via a malicious link and the action is executed with the same privileges of the logged in user. Hackers can leverage CSRF flaws to force the execution of unwanted actions in web pages or apps where the victim user has already authenticated.
Cisco ios xe vs ios Patch#
Cisco today released an updated version for its IOS XE software to patch a high severity cross-site request forgery (CSRF) vulnerability.
0 kommentar(er)
