CVE-2019-12643: Cisco IOS XE Authentication Bypass VulnerabilityOctober 18, 2019 | Trend Micro Research Team
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, John Simpson and Dusan Stevanovic of the Trend Micro Research Team detail a recent authentication bypass vulnerability in the Cisco IOS XE. The following is a portion of their write-up covering CVE-2019-12643, with a few minimal modifications.
An authentication bypass vulnerability has been reported in the Cisco REST API virtual service container for Cisco IOS XE Software. This vulnerability is due to a debugging API endpoint being enabled by default in the management of the REST API authentication service.
A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the target server. Successful exploitation could result in an authentication bypass by obtaining the token-id of an authenticated user.
Cisco IOS XE is a version of Cisco’s Internetworking Operating System (IOS) that runs on a Linux operating system and runs the typical IOS functionality in a separate process. IOS XE runs on a variety of physical hardware such as network switches, wireless controllers, routers, and virtualized appliances. As of version 16.2, IOS XE supports the use of “service containers”, which allow applications to be hosted directly on an IOS XE platform through the use of Linux Virtual Containers (LXC) and virtual machines via Kernel-based Virtual Machine (KVM). Such applications may include network monitoring agents, additional networking functionality, or other applications.
Cisco offers a service container that adds REpresentational State Transfer (REST) API functionality to specific IOS XE devices that support service containers, allowing for the administration of the device through the HTTP-based API accessible via HTTPS by default on port 55443/TCP. This functionality is provided for a subset of Cisco platforms listed under the Affected Product section of the Security Advisory.
HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various headers, an empty line, and an optional message body:
where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents a space character. Parameters can be passed from the client to the server as name-value pairs in either the Request-URI, or in the message-body, depending on the Method used and Content-Type header. For example, a simple HTTP request passing a parameter named
param with value “1”, using the GET method might look like:
GET /my_webapp/mypaget.htm?param=1 HTTP/1.1
A similar request using the POST method might look like:
The IOS XE REST API relies on authentication to a Token Service that checks the provided credentials and then returns a token-id – a short-lived identifier to be used for subsequent requests. Clients authenticate using HTTP Basic Authentication to the following URI:
Upon successful authentication, the server will respond with a token-id JSON object that will then be placed in an X-auth-token HTTP header by the client on further requests to the API.
An authentication bypass exists in the REST API service container for IOS XE. The vulnerability is due to the debug_tokens configuration parameter being enabled in the default configuration of the REST API web application. The REST API web application is written in Python using the Flask WSGI web application framework. The Flask-RESTful extension uses a custom ResourceRoute decorator to define endpoints for the API. The tokens.py module contains code to handle the previously mentioned token-services endpoint and contains a debug endpoint that is enabled based on the value of the debug_tokens parameter located in the application config file, api-config.ini. By default, debug_tokens are set to “yes”, which enables any unauthenticated user to see all currently valid tokens on the server by visiting the following URI:
A remote, unauthenticated attacker can exploit this vulnerability by visiting the token-services debug endpoint. Successful exploitation could result in the bypassing of authentication, allowing an attacker to perform actions as an administrator on the target server.
Source Code Walkthrough
The following code snippet was taken from Cisco REST API Management Services Container version 16.06.05. Comments added by Trend Micro Research have been added.
/opt/cisco/restful_api/src/api-config.ini from iosxe-remote-mgmt.16.06.05.ova:
Trend Micro Security Research has provided a proof of concept script, poc.py, in order to illustrate the risks posed by this vulnerability. The script expects the following syntax:
python poc.py client <host>
<host> is the target host running the vulnerable version of IOS XE with the REST API enabled.
The appliance must have the REST API configured by following the instructions available here [PDF]. In addition, a user with a privilege level of 15 should be created on the appliance. Once the REST API is running and a user has been created, a non-privileged user should request an authentication token using the following cURL command:
curl -v -X POST https://<host>:55443/api/v1/auth/token-services -H .
"Accept:application/json" \ -u "<username>:<password>" -d "" –insecure
<host> is the target host and
<password> are the username and password of the user with the privilege level of 15. After running the cURL command, the PoC can be run.
By default, the PoC will retrieve all currently active authentication tokens then use the first token to retrieve information about all network interfaces configured on the appliance.
The PoC was tested on the Cisco Cloud Services Router 1000V version 16.06.05 running REST API Management Services Container version 16.06.05.
Cisco patched this bypass and issued SA20190828 on August 28 of this year. With that advisory, they released a fixed version of the REST API virtual service container as well as a hardened Cisco IOS XE Software release that prevents installation or activation of a vulnerable container on a device. They also note the REST API is not enabled by default and must be installed and activated separately on IOS XE devices. They do not provide details on the code changes made to address this vulnerability.
Special thanks to John Simpson and Dusan Stevanovic of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.
The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the ZDI team for the latest in exploit techniques and security patches.