Cisco IOS XE Software ASIC Register Write Vulnerability

Vulnerability

CVE-2019-12660 is a vulnerability in the CLI of Cisco IOS XE Software that allows an authenticated, local attacker to write values to the underlying memory of an affected device. The issue stems from improper input validation and authorization of specific commands that a user can execute within the CLI. Affected versions include multiple releases of Cisco IOS XE Software; for a complete list, consult the Cisco Security Advisory [1].

Exploitation

An attacker must first authenticate to the affected device with local access. Once authenticated, the attacker issues a specific set of CLI commands that exploit the improper validation. No additional user interaction or network access is required beyond local authentication.

Impact

Successful exploitation allows the attacker to modify the device's configuration, potentially causing the device to operate in a non-secure and abnormally functioning state. This could lead to denial of service, security bypass, or other unauthorized changes to the device's behavior.

Mitigation

Cisco has released software updates that address this vulnerability. Customers should upgrade to a fixed version as indicated by the Cisco IOS Software Checker, available in the advisory [1]. No workarounds are available; upgrading is the only mitigation.