This Cisco IOS XE REST API vulnerability could lead to attackers obtaining the token-id of an authenticated user. Credit: D3Damon / Getty Images Cisco this week said it issued a software update to address a vulnerability in its Cisco REST API virtual service container for Cisco IOS XE software that scored a critical 10 out of 10 on the Common Vulnerability Scoring System (CVSS) system. With the vulnerability an attacker could submit malicious HTTP requests to the targeted device and if successful, obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device, the company said. According to Cisco the REST API is an application that runs in a virtual services container. A virtual services container is a virtualized environment on a device and is delivered as an open virtual application (OVA). The OVA package has to be installed and enabled on a device through the device virtualization manager (VMAN) CLI. The Cisco REST API provides a set of RESTful APIs as an alternative method to the Cisco IOS XE CLI to provision selected functions on Cisco devices. Cisco said the vulnerability can be exploited under the following conditions: The device runs an affected Cisco IOS XE Software release. The device has installed and enabled an affected version of the Cisco REST API virtual service container. An authorized user with administrator credentials (level 15) is authenticated to the REST API interface. The REST API interface is not enabled by default. To be vulnerable, the virtual services container must be installed and activated. Deleting the OVA package from the device storage memory removes the attack vector. If the Cisco REST API virtual service container is not enabled, this operation will not impact the device’s normal operating conditions, Cisco stated. This vulnerability affects Cisco devices that are configured to use a vulnerable version of Cisco REST API virtual service container. This vulnerability affected the following products: Cisco 4000 Series Integrated Services Routers Cisco ASR 1000 Series Aggregation Services Routers Cisco Cloud Services Router 1000V Series Cisco Integrated Services Virtual Router Cisco said it has released a fixed version of the REST API virtual service container and a hardened IOS XE release that prevents installation or activation of a vulnerable container on a device. If the device was already configured with an active vulnerable container, the IOS XE software upgrade will deactivate the container, making the device not vulnerable. In that case, to restore the REST API functionality, customers should upgrade the Cisco REST API virtual service container to a fixed software release, the company said. Related content news Tata Communications launches edge computing platform for enterprises The company will offer two pricing models for CloudLyte — one based on CPU resources used, and the other it terms as “use case as a service.” By Prasanth Aby Thomas May 07, 2024 3 mins Edge Computing Internet of Things news HPE launches storage system for HPC and AI clusters The HPE Cray Storage Systems C500 is tuned to avoid I/O bottlenecks and offers a lower entry price than Cray systems designed for top supercomputers. By Andy Patrizio May 07, 2024 3 mins Supercomputers Enterprise Storage Data Center opinion Does new security need to be old again? Security used to be an explicit part of networking, as it was in IBM SNA and mainframe security. Can and should networks be the security focus again? By Tom Nolle May 07, 2024 7 mins Network Security Networking analysis At RSA, Cisco unveils Splunk integrations, Hypershield upgrades At RSA Conference 2024, Cisco announced plans to integrate its XDR platform and Splunk’s SIEM, bolster its Hypershield AI-native security architecture, and add to its Duo access-protection software. By Michael Cooney May 06, 2024 5 mins Network Management Software Network Security Networking PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe