In two security advisories released on Aug. 16, Cisco announced that they have released patches for two high-severity vulnerabilities. The exploits both affect Cisco’s Application Policy Infrastructure Controller (APIC) and both can allow significant access to any hacker that employs the vulnerabilities on an affected system.
The first patched vulnerability, CVE-2017-6767, a.k.a. “SSH Privilege Escalation Vulnerability,” is rated as a 7.1 on the Common Vulnerability Scoring System (CVSS). This exploit allows an attacker to escalate privileges beyond the original account. Root access, however, is not possible to gain via this particular vulnerability. At fault for this is, as Cisco states:
A limitation with how Role-Based Access Control (RBAC) grants privileges to remotely authenticated users when login occurs via SSH directly to the local management interface of the APIC. An attacker could exploit this vulnerability by authenticating to the targeted device.
The second patch is for the vulnerability CVE-2017-6768, a.k.a. “Custom Binary Privilege Escalation Vulnerability,” which has an even higher rating of 7.8 on the CVSS scale. What makes this particular exploit so dangerous is that it allows for a local hacker with proper authentication to gain root privileges. The cause of this according to Cisco is:
A custom executable system file that was built to use relative search paths for libraries without properly validating the library to be loaded. An attacker could exploit this vulnerability by authenticating to the device and loading a malicious library that can escalate the privilege level.”
It is imperative that these Cisco patches be implemented as soon as possible. Only one of the vulnerabilities, CVE-2017-6767, has a workaround. If you are unable to patch this particular exploit, to work around it Cisco recommends configuring each user on the remote authentication server with a Cisco Attribute-Value (AV) Pair, which “includes a unique UNIX User Identifier.” Without the AV Pair, Cisco warns, “all users are assigned the same default UNIX User Identifier, which results in the vulnerability.”