Cisco fixes Command Injection vulnerability in CISCO ACE 4710 products

Pierluigi Paganini February 26, 2016

Cisco has released security updates for the products CISCO ACE 4710 appliance to fix a high severity command injection vulnerability.

This week CISCO published a security advisory related a Command Injection Vulnerability (CVE-2016-1297) affecting its product Cisco ACE 4710 Application Control Engine Command. The vulnerability was reported to the company by Jan Kadijk, an expert at Warpnet BV.

The Cisco ACE 4710 Application Control Engine equipment is a protection solution designed to enhance application availability and performance and improve the resilience to cyber attacks.

The Cisco ACE 4710 Device Manager GUI doesn’t correctly validate user input exposing users to remote attack, authenticated attacker would execute any command-line interface commands with administrator privileges. The Cisco ACE 4710 Application Control Engine  protection solution is in phasing out, CISCO no longer commercialize the solution since January 2014, but it is currently supporting it until January 31, 2019.

CISCO ACE 4710 products

“A vulnerability in the Device Manager GUI of the Cisco ACE 4710 Application Control Engine could allow an authenticated, remote attacker to execute any command-line interface (CLI) command on the ACE with admin user privileges. ” states the CISCO advisory.
“The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by crafting a malicious HTTP POST request with injected CLI commands inside the value of a POST parameter value. An exploit could allow the attacker to bypass the role-based access control (RBAC) restrictions enforced by the Cisco ACE Device Manager GUI.”

The exploitation of the vulnerability is quite simple, the attacker needs to send specially crafted HTTP POST request with commands injected into the value of the POST parameter.

CISCO informed that the security flaw affects Cisco ACE 4710 appliances running A5 software versions up to A5(3.0) that have enabled the access to the Device Manager GUI.

The company has already released the security patches and suggested as a workaround to disable the Device Manager GUI.

CISCO confirmed that there is no evidence that the flaw has been exploited in the wild.

Recently CISCO has issued security advisories for vulnerabilities rated critical and high severity, among the flawed products there are the devices the Industrial Ethernet 2000 Series and CISCO ASA firewalls.

Pierluigi Paganini

(Security Affairs – Cisco ACE 4710, hacking)



you might also like

leave a comment