Cisco issues 3 critical warnings around ACI, NS-OX security holes

Cisco has issued three security advisories rated “critical” for some of its high-end software systems—two aimed at its Application Services Engine (ASE) implementation and one at the NX-OS operating system.

The most concerning warning came for Cisco Application Centric Infrastructure (ACI) Multi-Site Orchestrator (MSO) installed with the ASE which was rated a worse-case scenario, 10 out of a possible 10 on the Common Vulnerability Scoring System (CVSS).  The ACI Multi-Site Orchestrator lets customers control application-access policies across Cisco Application Policy Infrastructure Controller-based fabrics.

According to the advisory, a vulnerability in an API endpoint of Cisco ACI MSO installed on the ASE could let an unauthenticated, remote attacker bypass authentication on an affected device. A successful exploit could let the attacker receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.

The vulnerability is due to improper token validation on a specific API endpoint and affects Cisco ACI MSO running a 3.0 release of software only when deployed on a Cisco ASE, Cisco stated.

The second critical warning is about the ASE itself, where Cisco says there are multiple weaknesses – that overall rate a 9.8 out of 10 on the CVSS scale, including:

• A weakness that would let an attacker have privileged access to run containers or invoke host-level operations. The vulnerability is due to insufficient access controls for a service running in the Data Network. An attacker could exploit this vulnerability by sending crafted TCP requests to a specific service, Cisco stated.
• A vulnerability that could allow an unauthenticated, remote attacker access to a specific API on an affected device. A successful exploit could allow the attacker to learn device-specific information, create tech support files in an isolated volume, and make limited configuration changes. The vulnerability is due to insufficient access controls for an API running in the Data Network. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected API. A successful exploit could allow the attacker to learn device-specific information, create tech support files in an isolated volume, and make limited configuration changes, Cisco stated.

The final critical warning, rated 9.8 out of 10, is in the NS-OX operating system for Cisco’s Nexus switches. Cisco says an exposure in the implementation of an internal file management service for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode that are running Cisco NX-OS could let an unauthenticated, remote attacker create, delete, or overwrite arbitrary files with root privileges on the device.  

“This vulnerability exists because TCP port 9075 is incorrectly configured to listen and respond to external connection requests,” Cisco stated.   

“An attacker could exploit this vulnerability by sending crafted TCP packets to an IP address that is configured on a local interface on TCP port 9075. A successful exploit could allow the attacker to create, delete, or overwrite arbitrary files, including sensitive files that are related to the device configuration,” Cisco stated. “For example, the attacker could add a user account without the device administrator knowing,” the vendor stated.

Cisco has released free software updates that address the critical vulnerabilities and advises customers to go here for more information.

There were number of other less serious advisories issued around the NS-OX and Nexus switch portfolio as well.  They included one that described a  vulnerability in the NX-API feature of Cisco NX-OS Software could let an unauthenticated, remote attacker conduct a cross-site request forgery (CSRF) attack on an affected system. A successful exploit could let the attacker perform arbitrary actions with the privilege level of the affected user. The attacker could view and modify the device configuration, Cisco stated.

Another warning described a vulnerability in the fabric infrastructure VLAN connection establishment of Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) Mode could allow an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN. With a connection to the infrastructure VLAN, the attacker can make unauthorized connections to Cisco APIC services or join other host endpoints, Cisco stated.

Cisco said it has released free software updates to address these issues.