Critical flaw allows attackers to take over Cisco Elastic Services Controllers. Cisco has patched a critical, remotely exploitable authentication bypass vulnerability in Cisco Elastic Services Controller (ESC), a popular enterprise software for managing virtualized resources.

Cisco Elastic Services Controller Architecture

Cisco Elastic Services Controller Architecture

About the vulnerability (CVE-2019-1867) Critical flaw allows attackers to take over Cisco Elastic Services Controllers

“The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system,” Cisco explains.

CVE-2019-1867 has received a “perfect” 10.0 base CVSS score due to the fact that it can be exploited remotely, without the attacker having special privileges and without user interaction, and has a high impact on the system’s confidentiality, integrity and availability. In addition, the attack is easy to perform, as its complexity is low.

The vulnerability affects versions 4.1, 4.2, 4.3, and 4.4 of Cisco Elastic Services Controller (ESC), but only if the vulnerable REST API is enabled – and it’s not by default. Nevertheless, it’s likely that many users have it enabled.

Another good news is that the flaw was discovered by Cisco during internal security testing and there is no indication that it is currently being exploited in the wild.

Administrators are advised to upgrade to Cisco Elastic Services Controller Release 4.5 to plug the hole.

Related Videos:


Related Posts:

Security experts say health care industry is prized target for cyber criminals

A Cisco Router Bug Has Massive Global Implications

U.S. Govt Issues Microsoft Office 365 Security Best Practices

Cybersecurity burnout: 10 most stressful parts of the job

It’s Almost Impossible to Tell if Your iPhone Has Been Hacked

Free online cybersecurity training resources

Introduction to Batch File Viruses

How do I install plugins in WordPress?

City of Toronto data at risk of cyber attack: report

Google is about to have a lot more ads on phones

The dark web represents only a fraction of the rest of the internet

Russia ‘successfully tests’ its unplugged internet