cbcvebase.
CVE-2019-12643
published 2019-08-28

CVE-2019-12643: A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass…

PriorityP272critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EPSS
5.32%
91.6th percentile
A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device. The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service. An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device. The REST API interface is not enabled by default and must be installed and activated separately on IOS XE devices. See the Details section for more information.

Affected

4 ranges
VendorProductVersion rangeFixed in
ciscocisco_ios_xe_software>= unspecified < 16.09.0316.09.03
ciscoios_xe
ciscoios_xe
ciscorest

Detection & IOCsextracted from sources · hover to see the quote

port55443
filenameiosxe-remote-mgmt.16.03.03.ova
otherx-auth-token
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] 55443 (msg:"ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Token Usage (CVE-2019-12643)"; flow:established,to_server; xbits:isset,ET.Cisco_ABypass,track ip_pair,expire 60; http.method; content:"GET"; http.header_names; to_lowercase; content:"|0d 0a|x-auth-token|0d 0a|"; nocase; reference:cve,2019-12643; classtype:successful-admin; sid:2035012; rev:3; metadata:created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Check if the Cisco REST API virtual service container is installed and enabled by running 'show virtual-service detail | include Restful' — presence of 'Enabled, UP port: 55443' confirms exposure.
  • Identify the installed virtual service container name and version with 'show virtual-service version installed' to determine if a vulnerable version is present.
  • Vulnerable container names are 'mgmt' and 'csr_mgmt'; flag any device where these containers are at affected versions (e.g., 1.5.1, 1.6.1, 1.7.1, 1.7.2, 1.8.1, 162.1, 99.99.99 for mgmt; 03.16.03, 03.16.04, 1.0.0–1.8.1, 162.1, 163.1, 2017.6, 2017.10, 99.99.99 for csr_mgmt).
  • Network scan for Cisco IOS devices with port 55443 open to identify potentially exposed REST API endpoints.
  • The ET Snort rule (SID 2035012) detects exploitation by tracking HTTP GET requests to port 55443 carrying the 'x-auth-token' header after an initial bypass attempt (xbits tracking via ET.Cisco_ABypass on the IP pair).
  • Exploitation requires an authenticated level-15 administrator session to be active on the REST API interface at the time of attack; monitor for concurrent admin sessions alongside anomalous REST API calls.
  • ·The REST API virtual service container is NOT enabled by default; devices are only vulnerable if the container has been explicitly installed and activated.
  • ·Exploitation additionally requires that a level-15 authenticated admin session is active on the REST API at the time of the attack — opportunistic exploitation without a live admin session is not possible.
  • ·If 'show virtual-service detail | include Restful' produces no output or the string 'Enabled, UP' is absent, the device is not affected.
  • ·Cisco also released a hardened IOS XE Software release that prevents installation or activation of a vulnerable container entirely, as an alternative mitigation path.

CVSS provenance

nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.