A set of high-severity privilege-escalation vulnerabilities affecting Business Process Automation (BPA) application & Cisco’s Web Security Appliance (WSA) & could allow authenticated, remote attackers to access sensitive data or take over a targeted system.
The high-severity security vulnerabilities allow elevation of privileges, leading to data theft etc.
Cisco Business Process Automation
The 1st 2 bugs (CVE-2021-1574 & CVE-2021-1576) exist in the web-based management interface of the Cisco Business Process Automation (BPA), which is used to streamline various IT processes. Its functions include OS upgrades, device activation, compliance checks & server migration.
The issues, which both rate 8.8 out of 10 on the CVSS vulnerability-severity scale, could allow an authenticated, remote attacker to elevate privileges to administrator-level. A successful exploit would involve sending crafted HTTP messages to an affected system.
“These vulnerabilities are due to improper authorisation enforcement for specific features & for access to log files that contain confidential information,” according to Cisco’s Thurs. advisory.
Exploitation could result in an adversary “performing unauthorised actions with the privileges of an administrator, or by retrieving sensitive data from the logs & using it to impersonate a legitimate privileged user,” the company detailed.
- For CVE-2021-1574, an attacker with valid user credentials could execute unauthorised commands;
- For CVE-2021-1576, an attacker with valid credentials could access the logging subsystem of an affected system & retrieve sensitive data. The system is vulnerable only while a legitimate user maintains an active session on the system, Cisco noted.
The vulnerabilities affect Cisco BPA releases earlier than Release 3.1.
Also, the 3rd bug affects Cisco’s WSA appliance, which provides protection for those using a corporate network to access the web, by automatically blocking risky sites & testing unknown sites before allowing users to click on them.
The issue (CVE-2021-1359, with a CVSS score of 6.3 out of 10) exists in the configuration management of the Cisco AsyncOS operating system that powers the WSA. According to Cisco’s advisory, it could allow an authenticated, remote attacker to perform command injection & elevate privileges to root.
“This vulnerability is due to insufficient validation of user-supplied XML input for the web interface,” the networking giant explained. “An attacker could exploit this vulnerability by uploading crafted XML configuration files that contain scripting code to a vulnerable device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system & elevate privileges to root.”
The bug rates high-severity rather than critical since any would-be attacker would need a valid user account with the rights to upload configuration files in order to exploit the bug – something that could be achieved via another exploit or phishing attack.
The issue affects both the virtual & hardware-based iterations of the appliances, in Releases 11.8 & earlier, 12.0 and 12.5.
These are just the latest patches that Cisco has issued; last month, it patched several high-severity security vulnerabilities in its Small Business 220 Series Smart Switches, which are intro-level networking gear for SMBs.
The flaws could allow remote attacks designed to steal information, drop malware & disrupt operations, via session hijacking, arbitrary code execution, cross-site scripting (XSS) and HTML injection.