Preface: Because a stateless API can increase request overhead by handling large loads of incoming and outbound calls, a REST API should be designed to encourage the storage of cacheable data.
Vulnerability details: A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device.
Fundamental design weakness of REST API authentication. For example:
- Make POST request to
/api/rest/issues, get it working with an API key
- Perhaps there is no way to disable the Auth layer
- Generating an auth key
- Now you have an auth-token for app
- cURL GET request (with Authentication)
- cURL POST request (with Authentication)
What can Cisco customers do? As follows:
Official announcement by vendor – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-iosxe-rest-auth-bypass