NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - Cisco Aggregation Services Router 1004 (ASR1K) V2.0

Date of Maintenance Completion:  2019.08.27

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314

Original Evaluated TOE:  2019.05.20 - Cisco Aggregation Services Router 1004 (ASR1K) running IOS-XE 16.9

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guide [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

The IOS-XE software was updated from 16.9 to 16.12.1a.  These updates were bug fixes and feature updates.

 

Changes to Evaluation Documents:

 ·       ST: Modified IOS-XE version number from 16.9 to 16.12.

·         Configuration Guide:  Modified IOS-XE version number from 16.9 to 16.12.1a.

Regression Testing:

Each individual change was unit tested, and the IOS-XE 16.12.1a software image has had a limited amount of automated regression testing covering all major areas of baseline client functionality.

Vulnerability Analysis:

A new vulnerability analysis was run and as of 8/16/2019 all vulnerabilities have been addressed by the new IOS-XE 16.12.1a version.

 

Vulnerability

Cisco distributed defect tracking system (DDTS) Identifier

 

Release version that addresses the Vulnerability

CVE-2019-1862 - A vulnerability in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges.

CSCvn20358

HTTP Server feature is not a TSF claim included in the TOE.

Cisco addressed this vulnerability in IOS-XE 16.12.1a.

CVE-2019-1762 - A vulnerability in the Secure Storage feature of Cisco IOS and IOS XE Software could allow an authenticated, local attacker to access sensitive system information on an affected device.

CSCvi66418

Cisco addressed this vulnerability in IOS-XE 16.12.1a.

CVE-2019-1761 - A vulnerability in the Hot Standby Router Protocol (HSRP) subsystem of Cisco IOS and IOS XE Software could allow an unauthenticated, adjacent attacker to receive potentially sensitive information from an affected device.

CSCvj98575

Cisco addressed this vulnerability in IOS-XE 16.12.1a

CVE-2019-1759 - A vulnerability in access control list (ACL) functionality of the Gigabit Ethernet Management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to reach the configured IP addresses on the Gigabit Ethernet Management interface.

CSCvk47405
CSCvm97704

Cisco addressed this vulnerability in IOS-XE 16.12.1a.

CVE-2019-1755 - A vulnerability in the Web Services Management Agent (WSMA) function of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary Cisco IOS commands as a privilege level 15 user.

CSCvi36824

Cisco addressed this vulnerability in IOS-XE 16.12.1a.

CVE-2019-1754 - A vulnerability in the authorization subsystem of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI.

CSCvi36813

The web UI is not a TSF claim included in the TOE.

Cisco addressed this vulnerability in IOS-XE 16.12.1a.

CVE-2019-1752 - A vulnerability in the ISDN functions of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload.

CSCvk01977

Cisco addressed this vulnerability in IOS-XE 16.12.1a.

CVE-2019-1745 - A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with elevated privileges.

CSCvj61307

Cisco addressed this vulnerability in IOS-XE 16.12.1a.

CVE-2019-1743 - A vulnerability in the web UI framework of Cisco IOS XE Software could allow an authenticated, remote attacker to make unauthorized changes to the filesystem of the affected device.

CSCvi48984

The web UI is not a TSF claim included in the TOE.

Cisco addressed this vulnerability in IOS-XE 16.12.1a.

CVE-2018-15372 - A vulnerability in the MACsec Key Agreement (MKA) using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) functionality of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to bypass authentication and pass traffic through a Layer 3 interface of an affected device.

CSCvh09411

MACsec is not a TSF claim included in the TOE.

Cisco addressed this vulnerability in IOS-XE 16.12.1a.

CVE-2017-6665 - A vulnerability in the Autonomic Networking feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to reset the Autonomic Control Plane (ACP) of an affected system and view ACP packets that are transferred in clear text within an affected system, an Information Disclosure Vulnerability.

CSCvd51214

The Autonomic Networking feature is not a TSF claim included in the TOE.

CVE-2017-6663 - A vulnerability in the Autonomic Networking feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause autonomic nodes of an affected system to reload, resulting in a denial of service (DoS) condition.

CSCvd88936

The Autonomic Networking feature is not a TSF claim included in the TOE.

 

Vendor Information


Cisco Systems, Inc.
Alicia Squires
+1 410 309 4862
certteam@cisco.com

http://www.cisco.com
Site Map              Contact Us              Home