A critical vulnerability in Cisco Systems’ inter-site policy manager software could allow a remote attacker to bypass authentication.
Cisco also eliminated a critical security flaw affecting its Nexus 3000 Series Switches & Cisco Nexus 9000 Series Switches.
The vulnerability is one of 3 critical flaws fixed by Cisco this week. It exists in Cisco’s ACI Multi-Site Orchestrator (ACI MSO). This is Cisco’s management software for businesses, which allows them to monitor the health of all interconnected policy-management sites.
The flaw stems from improper token validation on an API endpoint in Cisco’s ACI MSO.
“A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO & managed Cisco Application Policy Infrastructure Controller (APIC) devices,” said Cisco on Wed.
The vulnerability (CVE-2021-1388) ranks 10 (out of 10) on the CVSS vulnerability-rating scale. The glitch is considered critical because an attacker – without any authentication – could remotely exploit it, merely by sending a crafted request to the affected API.
Cisco stated that ACI MSO versions running a 3.0 release of software are affected. However, they would have to be deployed on a Cisco Application Services Engine, which is the company’s unified application hosting platform for deploying data-centre applications. ACI MSO can either be deployed as a cluster in Cisco Application Services Engine or deployed in nodes as virtual machines on a hypervisor.
Cisco revealed that it is not aware of any public exploits or “malicious use” of the vulnerability so far. Users can learn about update options by visiting Cisco’s security advisory page.
Root Privileges on Nexus Switches
Cisco also plugged a ‘hole’ stemming from NX-OS, Cisco’s network operating system for its Nexus-series Ethernet switches.
This flaw, which has a CVSS score of 9.8 out of 10, could let an unauthenticated, remote attacker to create, delete or overwrite arbitrary files with root privileges on affected devices. Those affected devices are the Cisco Nexus 3000 Series Switches & Cisco Nexus 9000 Series Switches (in standalone NX-OS mode).
File Management Service
The vulnerability (CVE-2021- 1361) stems from an error on the implementation of an internal file management service. It exists because TCP port 9075 is incorrectly configured to listen & respond to external connection requests.
“An attacker could exploit this vulnerability by sending crafted TCP packets to an IP address that is configured on a local interface on TCP port 9075,” observed Cisco.
“A successful exploit could allow the attacker to create, delete, or overwrite arbitrary files, including sensitive files that are related to the device configuration.”
In an example situation, after exploiting the flaw, an attacker could add a user account without the device administrator knowing.
The Nexus 3000 series switches & Nexus 9000 series switches “are vulnerable by default.” Thus, it’s critical for users of these devices to update as soon as possible (for more information on doing so, or to see how they can check if their device is vulnerable, users can check out Cisco’s security advisory).
Unauthorised Access Flaw
Another critical flaw for Cisco exists in the Application Services Engine. This glitch could allow unauthenticated, remote attackers to gain privileged access to host-level operations. Then, they would be able to take device-specific information, create diagnostic files & make limited configuration changes.
The flaw (CVE-2021-1393) affects Cisco Application Services Engine Software releases 1.1(3d) & earlier. It ranks 9.8 out of 10 on the CVSS scale.
“The vulnerability is due to insufficient access controls for a service running in the data network,” commented Cisco. “An attacker could exploit this vulnerability by sending crafted TCP requests to a specific service. A successful exploit could allow the attacker to have privileged access to run containers or invoke host-level operations.”
Critical Cisco Fixes
The Cisco flaws are the latest vulnerabilities for the networking giant to eliminate.
At the beginning of Feb., Cisco rolled out fixes for critical holes in its line-up of small-business VPN routers. The flaws could be exploited by unauthenticated, remote attackers to view or tamper with data, and perform other unauthorised actions on the routers.
In Jan., Cisco warned of a high-severity flaw in its smart Wi-Fi solution for retailers, which could allow a remote attacker to alter the password of any account user on affected systems. The flaw was part of a number of patches issued by Cisco addressing 67 high-severity CVEs.