Critical vulnerabilities impacting Cisco Elastic Services Controller

Web application security testing experts reported a critical vulnerability in Cisco Elastic Services Controller (ESC), which could allow an unauthenticated remote hacker to take full control of the compromised system using just a specially designed request.

ESC is a virtual network function manager employed by hundreds of companies to automate the implementation and monitoring of tasks performed on their virtual machines; the vulnerability, tracked as CVE-2019-1867, is a bypass authentication flaw and has received a score of 10/10 on the Common Vulnerability Scoring System (CVSS) scale, making it a critical security issue.

“The flaw could allow an attacker to bypass the authentication process in REST API”, mentions a company’s statement. Web application security testing experts mention that Cisco released the fixes for the vulnerability a couple of days ago; users are encouraged to install updates because there are no workarounds known.

The company mentions that the vulnerability exists due to an incorrect validation of API requests in the REST function, which is a method to allow communication between a client and a web-based server using REST constraints.

A potential attacker would only have to send a specially designed request to the REST API to exploit the vulnerability; if successfully exploited the flaw would allow the threat actor to execute arbitrary actions using the REST API with admin privileges, the web application security testing experts mentioned.

The vulnerability was discovered during a Cisco internal security audit; the company has reported that it impacts ESC running software versions 4.1, 4.2, 4.3 and 4.4 with the REST API enabled. It is noteworthy that the REST API is not enabled by default in Cisco ESC.

Just a few days ago, Cisco had released fixes for two critical vulnerabilities that, if exploited, could have allowed hackers to deploy denial-of-service (DoS) attacks against some company firewall deployments.

According to the specialists from the International Institute of Cyber Security (IICS), so far there is no evidence to prove that the vulnerability has been exploited in the wild.