Cisco has released a patch to address a critical flaw in the API endpoint of the Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine.
The flaw, tracked as CVE-2021-1388, has been given the maximum CVSS severity of 10/10. If exploited, an attacker would be able to remotely bypass authentication on an affected device. The flaw could be exploited by sending a specially crafted request to a vulnerable ACI MSO API endpoint. The flaw is present in all ACI MSO 3.0 releases apart from version 3.0)1i). No other versions have this vulnerability.
The Cisco ACI MSO is used by IT teams to monitor the health of their interconnected sites across multiple data centers. If the flaw is exploited, an attacker would be able to obtain an authentication token that provides admin-level privileges for authenticating to the API on vulnerable MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.
Cisco is not aware of any real-world attempts to exploit the vulnerability, but due to the severity of the flaw, prompt patching is strongly recommended. Customers have been advised to upgrade to Cisco ACI MSO 3.0(3m) as soon as possible.
Cisco has also released a patch to correct another critical flaw which affects the Application Services Engine. The flaw could be exploited by sending specially crafted TCP requests to a specific service and would allow an unauthenticated remote attacker to gain access to a privileged service on a vulnerable device and run containers or invoke host-level operations. The vulnerability is tracked as CVE-2021-1393 and has been given a CVSS score of 9.8/10.
A patch has also been released to correct a medium severity flaw (CVE-2021-1396) in the Application Services Engine that can be exploited to provide unauthorized access to a specific API on a vulnerable device. The flaw is due to insufficient access controls for an API running in the Data Network. The flaw could be exploited by sending specially crafted HTTP requests to the affected API and has been given a CVSS score of 6.5/10. If successfully exploited, an attacker could obtain device-specific information, make limited configuration changes, and create tech support files in an isolated volume.