According to a report released by Cisco, the company has patched a critical flaw in its ASR 9000 Series Aggregation Services Routers that targets the Cisco IOS XR 64-bit Software. The flaw in question, (CVE-2019-1710), allows for a remote attacker to gain access to applications found internally within a sysadmin virtual machine (among other issues). Earning a Common Vulnerability Scoring System (CVSS) score of 9.8, the exploit is about as serious as flaws get (hence, Cisco rushing out the patch).
The following statement in the advisory explains what exactly caused the flaw and how damaging it can be:
The vulnerability is due to incorrect isolation of the secondary management interface from internal sysadmin applications. An attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device.
There is a detailed workaround that is shown in extensive detail via the advisory. (It is also not the first time Cisco has employed a workaround strategy to quickly close an exploit.) In essence, the workaround involves accessing the sysadmin VM and using bash to edit the calvados_bootstrap.cfg file. While this is a workaround, the patch is probably the easier (RE: less headache-inducing) method of closing this flaw as one line of coded mistake in bash can botch the workaround. In order to employ the patch, a sysadmin will need to download the update released for the IOS XR 64-bit software found in the ASR 9000 series routers.
According to the advisory, there have been no known cases of the exploit being employed in the wild (though this could be subject to change now that the advisory is public). The most likely reason for this is that Cisco discovered the flaw in the ASR 9000 series routers “during internal security testing.” The logic makes sense as a third party white hat finding the flaw would imply that malicious hackers could also find it (and exploit it). Finding it in an internal security test means that the likelihood of outside forces finding the flaw first is less (though not impossible).
In any case, make sure to patch as soon as possible if your company utilizes the ASR 9000 series routers.
Featured image: Cisco