Cisco fixes three critical bugs in ACI Multi-Site Orchestrator, Application Services Engine, and NX-OS

Pierluigi Paganini February 25, 2021

Cisco addressed over a dozen vulnerabilities in its products, including three critical bugs in ACI Multi-Site Orchestrator, Application Services Engine, and NX-OS software.

Cisco released security updates to address over a dozen vulnerabilities affecting multiple products, including three critical flaws impacting its ACI Multi-Site Orchestrator, Application Services Engine, and NX-OS software.

The most severe vulnerability addressed by the IT giant, tracked as CVE-2021-1388, is remote bypass authentication issue that affects an API endpoint of the ACI Multi-Site Orchestrator (MSO). The vulnerability received a CVSS score of 10.

“A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device.” reads the advisory published by Cisco.

“The vulnerability is due to improper token validation on a specific API endpoint. An attacker could exploit this vulnerability by sending a crafted request to the affected API. A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.”

The flaw is caused by the improper validation of tokens, an attacker could trigger the issue by sending crafted requests to receive a token with administrator-level privileges that they could be used to authenticate to the API on affected MSO devices.

This flaw affects Cisco ACI Multi-Site Orchestrator (MSO) running software version 3.0 only when deployed on a Cisco Application Services Engine.

Cisco also addressed two unauthorized access vulnerabilities, tracked as CVE-2021-1393 and CVE-2021-1396, that affect the Application Services Engine. The most severe is the CVE-2021-1393, which received a CVSS score of 9.8.

“Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make limited configuration changes.” reads the advisory.

The issues affect only Application Services Engine release 1.1.

Another critical flaw fixed by Cisco is the CVE-2021-1361 flaw that affects the NX-OS running on Nexus 3000 and Nexus 9000 series switches. The flaw received a CVSS score of 9.8, it could be exploited remotely to manipulate arbitrary files with root privileges, without authentication.

“A vulnerability in the implementation of an internal file management service for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode that are running Cisco NX-OS Software could allow an unauthenticated, remote attacker to create, delete, or overwrite arbitrary files with root privileges on the device.” reads the advisory.

“A successful exploit could allow the attacker to create, delete, or overwrite arbitrary files, including sensitive files that are related to the device configuration. For example, the attacker could add a user account without the device administrator knowing.”

The flaw affects Nexus 3000 series switches and Nexus 9000 series switches, in standalone NX-OS mode, running NX-OS software release 9.3(5) or release 9.3(6).

The good news is that Cisco is not aware of attacks in the wild exploiting these vulnerabilities.

The full list of flaws addressed by the tech company is available on the Cisco’s security portal.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment