Approx. read time: 6.1 min.
Post: Critical flaw allows attackers to take over Cisco Elastic Services Controllers
Critical flaw allows attackers to take over Cisco Elastic Services Controllers. Cisco has patched a critical, remotely exploitable authentication bypass vulnerability in Cisco Elastic Services Controller (ESC), a popular enterprise software for managing virtualized resources.
Cisco Elastic Services Controller Architecture
About the vulnerability (CVE-2019-1867) Critical flaw allows attackers to take over Cisco Elastic Services Controllers
“The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system,” Cisco explains.
CVE-2019-1867 has received a “perfect” 10.0 base CVSS score due to the fact that it can be exploited remotely, without the attacker having special privileges and without user interaction, and has a high impact on the system’s confidentiality, integrity and availability. In addition, the attack is easy to perform, as its complexity is low.
The vulnerability affects versions 4.1, 4.2, 4.3, and 4.4 of Cisco Elastic Services Controller (ESC), but only if the vulnerable REST API is enabled – and it’s not by default. Nevertheless, it’s likely that many users have it enabled.
Another good news is that the flaw was discovered by Cisco during internal security testing and there is no indication that it is currently being exploited in the wild.
Administrators are advised to upgrade to Cisco Elastic Services Controller Release 4.5 to plug the hole.
What is a REST-based API❓ (and why you need to know for the Cisco CCNA)
NOTICE
NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.
CVE-2019-1867 DetailMODIFIED This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided. DescriptionA vulnerability in the REST API of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to bypass authentication on the REST API. The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system. SeverityCVSS 3.x Severity and Metrics: CNA: Cisco Systems, Inc.
Base Score: 10.0 CRITICAL
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA. Note: The NVD and the CNA have provided the same score. When this occurs only the CNA information is displayed, but the Acceptance Level icon for the CNA is given a checkmark to signify NVD concurrence. References to Advisories, Solutions, and ToolsBy selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
Weakness Enumeration
Known Affected Software Configurations Switch to CPE 2.2Configuration 1 ( hide )
Denotes Vulnerable Software Change History2 change records found show changes NOTICE NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
NIST 
Cisco Systems, Inc. Related Videos:
Related Posts:
Security experts say health care industry is prized target for cyber criminals
A Cisco Router Bug Has Massive Global Implications
U.S. Govt Issues Microsoft Office 365 Security Best Practices
Linux Kernel Prior to 5.0.8 Vulnerable to Remote Code Execution(Opens in a new browser tab)
Linux Kernel Can Be Exploited Remotely; Kernel Prior To 5.0.8 Affected(Opens in a new browser tab)
Tips and tricks for USING THE DOM API(Opens in a new browser tab)
Cybersecurity burnout: 10 most stressful parts of the job
It’s Almost Impossible to Tell if Your iPhone Has Been Hacked
Free online cybersecurity training resources
Introduction to Batch File Viruses
How do I install plugins in WordPress?
City of Toronto data at risk of cyber attack: report
Google is about to have a lot more ads on phones
The dark web represents only a fraction of the rest of the internet
Related Posts
About the Author: Bernard Aybout (Virii8)
