Cisco patches several critical vulnerabilities in Application Services Engine

Cisco has announced a chunk of patches for various products. Of particular interest are (two critical and one medium) vulnerabilities for Cisco Applications Services Engine. The first critical vulnerability is CVE-2021-1388 and it affects "an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine." According to the threat advisory, the vulnerability results from improper token validation. When an attacker crafts a malicious token and sends it to the API endpoint in question, they can gain administrator-level access on Cisco Application Policy Infrastructure Controller (APIC) devices.

The second and third vulnerabilities both affect the Cisco Application Services Engine. The first of these exploitable vulnerabilities, CVE-2021-1393, is caused by "insufficient access controls for a service running in the Data Network." It can be exploited by sending TCP requests to a service with the intention of gaining remote access. The remote access, when exploited properly, allows for privileged access in which the threat actor can "run containers or invoke host-level operations." This is the critical vulnerability, earning a CVSS score of 9.8.

Last, the final, medium threat vulnerability patched is CVE-2021-1396. The vulnerability is caused by "insufficient access controls for an API running in the Data Network." Should an attacker wish to exploit this, they need to send crafted HTTP requests to the API. If successful, an attacker can "learn device-specific information, create tech support files in an isolated volume, and make limited configuration changes."

There are no known workarounds that address these vulnerabilities outside of patching. As this is the case, sysadmins should patch as quickly as possible considering that two of the three vulnerabilities allow for privileged, remote, and unauthenticated access to the affected application services. Cisco releases these patches just weeks after a large patch update that saw numerous critical vulnerabilities in their VPN routers patched.

Featured image: Flickr/Ecole Polytechnique

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Operational technology security: Boost it or suffer the consequences

Companies with robust IT cyberthreat defenses don’t always have a strong operational technology security structure…

3 days ago

Running containers and virtual machines on the same bare-metal cloud

Implementing containers and virtual machines on the same bare-metal cloud can provide a cost-efficient way…

3 days ago

Global IT spending to rebound 8.4% in 2021: Gartner

IT spending in 2021 is expected to reverse its pandemic-related decline in 2020, according to…

4 days ago

Setting up Mac Mail and Outlook on Exchange 2016

Setting up Mac Mail and Microsoft Outlook on Exchange 2016 is not difficult, although there…

4 days ago

Which type of PowerShell loop should you be using?

PowerShell supports several types of loops, but not all loops are interchangeable in your scripts.…

4 days ago

Docker raises $23M — Will its new developer focus hold up to reality?

Docker has received an influx of cash as it bets on a developers’ community that…

5 days ago