Speaking of software weaknesses, leading network gear vendors have also been a well of software security vulnerabilities, including brands such as Juniper, Aruba, QNAP, and Cisco. One of the biggest networking equipment leaders in the world, Cisco, has suffered a critical software vulnerability. A Security Advisory release on the official Cisco website has publicly confirmed that multiple vulnerabilities have been unearthed. Among them, one particular software vulnerability was rated as being a critical risk and is worthy of note.
The Cisco IOS XE Software Vulnerability
On September 22nd, 2021 the official Cisco Security Advisory portal released information regarding multiple software vulnerabilities. The software vulnerability concerns Cisco IOS XE Software and was entered into the public CVE (Common Vulnerabilities and Exposures) database with CVE ID CVE-2021-1619. Cisco IOS XE Cisco IOS XE is, according to the official Cisco website, “an open and flexible operating system optimized for the future of work. As the single OS for enterprise wired and wireless access, aggregation, core, and WAN, Cisco IOS XE reduces business and network complexity.” Cisco IOS XE is a Linux-based OS introduced by Cisco in 2008, it is a widely used software architecture that works and applies optimization between the operating system and IOS processes.
Technical Details
The vulnerability type is an ‘Access of Uninitialized Pointer in Cisco IOS Xe Software.’ The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to an uninitialized pointer in the authentication, authorization, and accounting (AAA) function. A remote attacker can send a series of NETCONF or RESTCONF requests and use NETCONF or RESTCONF to install, manipulate, or delete the configuration of a network device.
Vulnerable Software Versions And Products
The following software versions are vulnerable to the critical software vulnerability;
Cisco IOS XE: 16.12.3, 16.12.4, 17.3.1 Cisco Catalyst 4000 Series Switches: All versions Cisco 2800 Series Integrated Services Routers: All versions
The products that are confirmed as ‘Not Vulnerable’ are;
IOS Software IOS XR Software Meraki products NX-OS Software
Important User Information
Workarounds and fixes have been released that mitigate the critical software vulnerability CVE-2021-1619. Users of Cisco IOS XE can resolve the issue by either;
Using the Cisco Software Checker tool Manually determining whether a device is vulnerable by following the instructions here
Users of Cisco IOS XE can also check the ‘Workarounds’ and ‘Fixed Software’ sections found on the lower portion of the same page.
