First published: Wed Sep 25 2019(Updated: )
A vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device. The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts. An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials. An exploit could allow the attacker to gain unauthorized access to the Guest OS as a root user.
Credit: ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco IOS | =15.7\(3\)m3 | |
Cisco 807 Industrial Integrated Services Routers | ||
Cisco 809 Industrial Integrated Services Routers | ||
Cisco 829 Industrial Integrated Services Routers | ||
Cisco Cgr 1120 | ||
Cisco Cgr1240 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2019-12648.
The severity level of CVE-2019-12648 is critical with a severity value of 8.8.
The Cisco IOS Software version 15.7(3)m3 is affected by CVE-2019-12648.
CVE-2019-12648 allows an authenticated remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device.
Yes, Cisco has released a security advisory with fixes and mitigations for CVE-2019-12648. Please refer to the Cisco Security Advisory for more information.