Web application security testing experts reported a critical vulnerability in Cisco Elastic Services Controller (ESC), which could allow an unauthenticated remote hacker to take full control of the compromised system using just a specially designed request.
ESC is a virtual network function manager
employed by hundreds of companies to automate the implementation and monitoring
of tasks performed on their virtual machines; the vulnerability, tracked as CVE-2019-1867, is a bypass
authentication flaw and has received a score of 10/10 on the Common
Vulnerability Scoring System (CVSS) scale, making it a critical security issue.
“The flaw could allow an attacker to
bypass the authentication process in REST API”, mentions a company’s
statement. Web application security testing experts mention that Cisco released
the fixes for the vulnerability a couple of days ago; users are encouraged to
install updates because there are no workarounds known.
The company mentions that the vulnerability
exists due to an incorrect validation of API requests in the REST function,
which is a method to allow communication between a client and a web-based
server using REST constraints.
A potential attacker would only have to send a
specially designed request to the REST API to exploit the vulnerability; if successfully
exploited the flaw would allow the threat actor to execute arbitrary actions
using the REST API with admin privileges, the web application security testing experts
mentioned.
The vulnerability was discovered during a Cisco
internal security audit; the company has reported that it impacts ESC running
software versions 4.1, 4.2, 4.3 and 4.4 with the REST API enabled. It is
noteworthy that the REST API is not enabled by default in Cisco ESC.
Just a few days ago, Cisco had released fixes
for two critical vulnerabilities that, if exploited, could have allowed hackers
to deploy denial-of-service
(DoS) attacks against some company firewall deployments.
According to the specialists from the
International Institute of Cyber Security (IICS), so far there is no evidence
to prove that the vulnerability has been exploited in the wild.
