Cisco has addressed a maximum severity vulnerability in its Application Centric Infrastructure (ACI) Multi-Site Orchestrator (MSO) that could allow an unauthenticated, remote attacker to bypass authentication on vulnerable devices.
“An attacker could exploit this vulnerability by sending a crafted request to the affected API,” the company said in an advisory published yesterday. “A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.”
The bug, tracked as CVE-2021-1388, ranks 10 (out of 10) on the CVSS vulnerability scoring system and stems from an improper token validation in an API endpoint of Cisco ACI MSO installed the Application Services Engine. It affects ACI MSO versions running a 3.0 release of the software.
The ACI Multi-Site Orchestrator lets customers monitor and manage application-access networking policies across Cisco APIC-based devices.
Separately, the company also patched multiple flaws in Cisco Application Services Engine (CVE-2021-1393 and CVE-2021-1396, CVSS score 9.8) that could grant a remote attacker to access a privileged service or specific APIs, resulting in capabilities to run containers or invoke host-level operations, and learn “device-specific information, create tech support files in an isolated volume, and make limited configuration changes.”
Both the flaws were a result of insufficient access controls for an API running in the Data Network, Cisco noted.
The networking major said the aforementioned three weaknesses were discovered during internal security testing but added it detected no malicious attempts exploiting the vulnerabilities in the wild.
Lastly, Cisco fixed a vulnerability (CVE-2021-1361, CVSS score 9.8) in the implementation of an internal file management service for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches running NX-OS, the company’s network operating system used in its Nexus-branded Ethernet switches.
This could allow a bad actor to create, delete, or overwrite arbitrary files with root privileges on the device, the company cautioned, including permitting the attacker to add a user account without the device administrator’s knowledge.
Cisco said Nexus 3000 and Nexus 9000 switches running Cisco NX-OS Software Release 9.3(5) or Release 9.3(6) are vulnerable by default.
“This vulnerability exists because TCP port 9075 is incorrectly configured to listen and respond to external connection requests,” Cisco outlined in the adversary. “An attacker could exploit this vulnerability by sending crafted TCP packets to an IP address that is configured on a local interface on TCP port 9075.”
The patches come weeks after Cisco rectified as many as 44 flaws in its Small Business routers that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user and even cause a denial-of-service condition.