A critical vulnerability in Cisco Systems’ intersite policy manager software could allow a remote attacker to bypass authentication.
The vulnerability is one of three critical flaws fixed by Cisco on this week. It exists in Cisco’s ACI Multi-Site Orchestrator (ACI MSO) — this is Cisco’s management software for businesses, which allows them to monitor the health of all interconnected policy-management sites.
The flaw stems from improper token validation on an API endpoint in Cisco’s ACI MSO.
“A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices,” said Cisco on Wednesday.
Cisco’s Critical Cybersecurity Flaw: Easily Exploitable
The vulnerability (CVE-2021-1388) ranks 10 (out of 10) on the CVSS vulnerability-rating scale. The glitch is considered critical because an attacker – without any authentication – could remotely could exploit it, merely by sending a crafted request to the affected API.
Cisco said that ACI MSO versions running a 3.0 release of software are affected. However, they would have to be deployed on a Cisco Application Services Engine, which is the company’s unified application hosting platform for deploying data-center applications. ACI MSO can either be deployed as a cluster in Cisco Application Services Engine, or deployed in nodes as virtual machines on a hypervisor.
Cisco said it’s not aware of any public exploits or “malicious use” of the vulnerability thus far. Users can learn about update options by visiting Cisco’s security advisory page.
Cisco Vulnerability Grants Root Privileges on Nexus Switches
Cisco also stoppered a hole stemming from NX-OS, Cisco’s network operating system for its Nexus-series Ethernet switches.
The flaw, which has a CVSS score of 9.8 out of 10, could allow an unauthenticated, remote attacker to create, delete or overwrite arbitrary files with root privileges on affected devices. Those affected devices are the Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches (in standalone NX-OS mode).
The vulnerability (CVE-2021- 1361) stems from an error on the implementation of an internal file management service. It exists because TCP port 9075 is incorrectly configured to listen and respond to external connection requests.
“An attacker could exploit this vulnerability by sending crafted TCP packets to an IP address that is configured on a local interface on TCP port 9075,” said Cisco. “A successful exploit could allow the attacker to create, delete, or overwrite arbitrary files, including sensitive files that are related to the device configuration.”
In an example scenario, after exploiting the flaw, an attacker could add a user account without the device administrator knowing.
The Nexus 3000 series switches and Nexus 9000 series switches “are vulnerable by default.” Thus, it’s critical for users of these devices to update as soon as possible (for more information on doing so, or to see how they can check if their device is vulnerable, users can check out Cisco’s security advisory).
Cisco Application Services Engine: Unauthorized Access Flaw
Another critical flaw for Cisco exists in the Application Services Engine. This glitch could allow unauthenticated, remote attackers to gain privileged access to host-level operations. From there, they would be able to glean device-specific information, create diagnostic files and make limited configuration changes.
The flaw (CVE-2021-1393) affects Cisco Application Services Engine Software releases 1.1(3d) and earlier. It ranks 9.8 out of 10 on the CVSS scale.
“The vulnerability is due to insufficient access controls for a service running in the data network,” said Cisco. “An attacker could exploit this vulnerability by sending crafted TCP requests to a specific service. A successful exploit could allow the attacker to have privileged access to run containers or invoke host-level operations.”
More Critical Cisco Fixes
The Cisco flaws are the latest vulnerabilities for the networking giant to stomp out.
In the beginning of this month, Cisco rolled out fixes for critical holes in its lineup of small-business VPN routers. The flaws could be exploited by unauthenticated, remote attackers to view or tamper with data, and perform other unauthorized actions on the routers.
And in January, Cisco warned of a high-severity flaw in its smart Wi-Fi solution for retailers, which could allow a remote attacker to alter the password of any account user on affected systems. The flaw was part of a number of patches issued by Cisco addressing 67 high-severity CVEs.