Cisco has pushed out a patch for its ASR 9000 routers that could allow for attackers to carry out Denial-of-service (DoS) strikes and also give them unauthorized access to the devices. The CVSS score for the vulnerability (CVE-2019-1710) is 9.8, putting it at a critical severity level. The vulnerability lies in the router’s internal sysadmin applications where they are erroneously isolated in the alternate management interface. To be exploited correctly, an attacker would have to connect to one of the listening internal applications. The patch for this vulnerability was rushed out because it was found during internal testing and researchers believe it has not yet been exploited. Cisco is suggesting that users upgrade to Cisco’s IOS XR 64-bit software release 6.5.3 and 7.0.1 which will edit the calvados_boostrap.cfg file and reload the device.
Analyst Notes
Users should immediately upgrade to Cisco’s latest software release in order to assure their router will be safer. Users will also want to listen for more news pertaining to the router in case there happens to be an exploitation of the vulnerability.
