Critical flaw allows attackers to take over Cisco Elastic Services Controllers. Cisco has patched a critical, remotely exploitable authentication bypass vulnerability in Cisco Elastic Services Controller (ESC), a popular enterprise software for managing virtualized resources.
About the vulnerability (CVE-2019-1867) Critical flaw allows attackers to take over Cisco Elastic Services Controllers
“The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system,” Cisco explains.
CVE-2019-1867 has received a “perfect” 10.0 base CVSS score due to the fact that it can be exploited remotely, without the attacker having special privileges and without user interaction, and has a high impact on the system’s confidentiality, integrity and availability. In addition, the attack is easy to perform, as its complexity is low.
The vulnerability affects versions 4.1, 4.2, 4.3, and 4.4 of Cisco Elastic Services Controller (ESC), but only if the vulnerable REST API is enabled – and it’s not by default. Nevertheless, it’s likely that many users have it enabled.
Another good news is that the flaw was discovered by Cisco during internal security testing and there is no indication that it is currently being exploited in the wild.
Administrators are advised to upgrade to Cisco Elastic Services Controller Release 4.5 to plug the hole.