Cisco has announced a chunk of patches for various products. Of particular interest are (two critical and one medium) vulnerabilities for Cisco Applications Services Engine. The first critical vulnerability is CVE-2021-1388 and it affects "an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine." According to the threat advisory, the vulnerability results from improper token validation. When an attacker crafts a malicious token and sends it to the API endpoint in question, they can gain administrator-level access on Cisco Application Policy Infrastructure Controller (APIC) devices.
The second and third vulnerabilities both affect the Cisco Application Services Engine. The first of these exploitable vulnerabilities, CVE-2021-1393, is caused by "insufficient access controls for a service running in the Data Network." It can be exploited by sending TCP requests to a service with the intention of gaining remote access. The remote access, when exploited properly, allows for privileged access in which the threat actor can "run containers or invoke host-level operations." This is the critical vulnerability, earning a CVSS score of 9.8.
Last, the final, medium threat vulnerability patched is CVE-2021-1396. The vulnerability is caused by "insufficient access controls for an API running in the Data Network." Should an attacker wish to exploit this, they need to send crafted HTTP requests to the API. If successful, an attacker can "learn device-specific information, create tech support files in an isolated volume, and make limited configuration changes."
There are no known workarounds that address these vulnerabilities outside of patching. As this is the case, sysadmins should patch as quickly as possible considering that two of the three vulnerabilities allow for privileged, remote, and unauthenticated access to the affected application services. Cisco releases these patches just weeks after a large patch update that saw numerous critical vulnerabilities in their VPN routers patched.
Featured image: Flickr/Ecole Polytechnique