In an advisory released on Wednesday, Cisco declared that they have addressed a maximum severity bypass vulnerability, tracked as CVE-2021-1388 having a 10/10CVSS base score. The said vulnerability was found in the API endpoint of the Cisco ACI Multi-Site Orchestrator installed on the Application Services Engine. The Cisco ACI MSO being an intersite network and policy orchestration solution, helps admins monitor the various interconnected sites across the organization’s data centers.
The found vulnerability could allow an unauthenticated remote attacker to bypass authentication on the affected devices. “The vulnerability is due to improper token validation on specific API endpoint. The attacker could exploit this vulnerability by sending a crafted request to the affected API.” says the company.
The attacker could receive a token with up to administration-level privileges through a successful exploit. These privileges would further allow them to authenticate to the API of the affected MSO & also manage the Cisco Application Policy Infrastructure Controller Devices.
Only MSO 3.0 was affected
Cisco has mentioned that the found vulnerability only impacts the 3.0 versions of the Cisco ACI MSO only when deployed on a Cisco Application Services Engine. This can be done in one of either way.
- MSO cluster in a Cisco Application Services Engine; the MSO software image can be identified by an ‘aci’ extension.
- MSO nodes deployed as VMs on a Hypervisor; the MSO software image can be identified by an ‘ova’ extension.
Besides MSO 3.0, no other product has been affected by the vulnerability. The organization has also mentioned that their Product Security Incident Response Team (PSIRT) is unaware of any malicious use or public announcement regarding the use of the vulnerability. There are no workarounds that address the given vulnerability.
CISCO has released an update
Cisco has released free software updates to address the vulnerability and suggested all the users upgrade to the appropriate latest version of the software in due time. All 3.0 versions of MSO, except for 3(1i) versions are vulnerable up to the first fixed release. In their advisory, the company has mentioned that only the customers with a valid license procured from Cisco or via another authorized reseller or partner can download software updates.
The organization has identified and resolved multiple vulnerabilities this month, many of which were identified on the same day as CVE-2021-1388. These vulnerabilities available in Cisco’s Security advisories included medium, high as well as critical vulnerabilities, including CVE-2021-1393, which is the severity of unauthorized access vulnerability in Cisco’s Application Services Engine.