Cisco patched two high-severity vulnerabilities in its Cisco Application Policy Infrastructure Controller (APIC) that could allow an attacker to elevate privileges on the host machine.

The product automates and manages the APIC fabric, optimizing application performance and provisioning for physical and virtual machines. Cisco said a remote attacker, with authentication, could gain higher privileges.

“The attacker will be granted the privileges of the last user to log in, regardless of whether those privileges are higher or lower than what should have been granted,” Cisco said in its advisory. “The attacker cannot gain root-level privileges.”

Cisco said the vulnerability occurs in the way the role-based access control system metes out privileges to remotely authenticated users if a user logs via SSH to the local management interface.

“An attacker could exploit this vulnerability by authenticating to the targeted device,” Cisco said. “The attacker’s privilege level will be modified to match that of the last user to log in via SSH. An exploit could allow the attacker to gain elevated privileges and perform CLI commands that should be restricted by the attacker’s configured role.”

Cisco patched a second privilege escalation bug in APIC that could lead to root access.

“The vulnerability is due to a custom executable system file that was built to use relative search paths for libraries without properly validating the library to be loaded. An attacker could exploit this vulnerability by authenticating to the device and loading a malicious library that can escalate the privilege level,” Cisco said in its advisory. “A successful exploit could allow the attacker to gain root-level privileges and take full control of the device. The attacker must have valid user credentials to log in to the device.”

Cisco said APIC running software release 1.0(1e) is vulnerable.

The company also updated its Cisco Virtual Network Function Element Manager, patching a privilege escalation bug that would allow an attacker to run commands as root.

“The vulnerability is due to command settings that allow Cisco VNF Element Manager users to specify arbitrary commands that will run as root on the server,” Cisco said in its advisory. “An attacker could use this setting to elevate privileges and run commands in the context of the root user on the server.”

Versions prior to 5.0.4 and 5.1.4 are affected, Cisco said.

Categories: Vulnerabilities