Cisco patches several critical vulnerabilities in Application Services Engine

Cisco has announced a chunk of patches for various products. Of particular interest are (two critical and one medium) vulnerabilities for Cisco Applications Services Engine. The first critical vulnerability is CVE-2021-1388 and it affects "an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine." According to the threat advisory, the vulnerability results from improper token validation. When an attacker crafts a malicious token and sends it to the API endpoint in question, they can gain administrator-level access on Cisco Application Policy Infrastructure Controller (APIC) devices.

The second and third vulnerabilities both affect the Cisco Application Services Engine. The first of these exploitable vulnerabilities, CVE-2021-1393, is caused by "insufficient access controls for a service running in the Data Network." It can be exploited by sending TCP requests to a service with the intention of gaining remote access. The remote access, when exploited properly, allows for privileged access in which the threat actor can "run containers or invoke host-level operations." This is the critical vulnerability, earning a CVSS score of 9.8.

Last, the final, medium threat vulnerability patched is CVE-2021-1396. The vulnerability is caused by "insufficient access controls for an API running in the Data Network." Should an attacker wish to exploit this, they need to send crafted HTTP requests to the API. If successful, an attacker can "learn device-specific information, create tech support files in an isolated volume, and make limited configuration changes."

There are no known workarounds that address these vulnerabilities outside of patching. As this is the case, sysadmins should patch as quickly as possible considering that two of the three vulnerabilities allow for privileged, remote, and unauthenticated access to the affected application services. Cisco releases these patches just weeks after a large patch update that saw numerous critical vulnerabilities in their VPN routers patched.

Featured image: Flickr/Ecole Polytechnique

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Restoring previous versions of Microsoft 365 documents

We’ve all experienced the trauma of deleted files. Fortunately, there are several ways of restoring…

2 days ago

Disaster recovery in a Kubernetes system: Best practices and solutions

Kubernetes disaster recovery is not an easy job because of the application’s sheer complexity. Here…

3 days ago

Unable to connect to Public Folder after Database Portability in Exchange 2013

Sponsored by Stellar Data RecoveryHere are solutions to connect a disconnected Exchange 2013 Public Folder…

3 days ago

Troubleshooting PowerShell Direct errors

PowerShell Direct normally works the way it is supposed to, but things can go wrong.…

3 days ago

Exchange Server hack aftermath: How to update while running Symantec

The major Exchange Server hack uncovered in March has admins scrambling to update their systems.…

4 days ago

7 red-hot trends in the serverless and low-code space

Along with serverless architecture, the low-code approach is reducing costs and boosting productivity. Here are…

4 days ago