Critical flaw allows attackers to take over Cisco Elastic Services Controllers. Cisco has patched a critical, remotely exploitable authentication bypass vulnerability in Cisco Elastic Services Controller (ESC), a popular enterprise software for managing virtualized resources.
About the vulnerability (CVE-2019-1867) Critical flaw allows attackers to take over Cisco Elastic Services Controllers
“The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system,” Cisco explains.
CVE-2019-1867 has received a “perfect” 10.0 base CVSS score due to the fact that it can be exploited remotely, without the attacker having special privileges and without user interaction, and has a high impact on the system’s confidentiality, integrity and availability. In addition, the attack is easy to perform, as its complexity is low.
The vulnerability affects versions 4.1, 4.2, 4.3, and 4.4 of Cisco Elastic Services Controller (ESC), but only if the vulnerable REST API is enabled – and it’s not by default. Nevertheless, it’s likely that many users have it enabled.
Another good news is that the flaw was discovered by Cisco during internal security testing and there is no indication that it is currently being exploited in the wild.
Administrators are advised to upgrade to Cisco Elastic Services Controller Release 4.5 to plug the hole.
Security experts say health care industry is prized target for cyber criminals
A Cisco Router Bug Has Massive Global Implications
U.S. Govt Issues Microsoft Office 365 Security Best Practices
Cybersecurity burnout: 10 most stressful parts of the job
It’s Almost Impossible to Tell if Your iPhone Has Been Hacked
Free online cybersecurity training resources
Introduction to Batch File Viruses
How do I install plugins in WordPress?
City of Toronto data at risk of cyber attack: report
Google is about to have a lot more ads on phones
The dark web represents only a fraction of the rest of the internet
Russia ‘successfully tests’ its unplugged internet