Cisco has addressed a maximum severity authentication bypass vulnerability found in the API endpoint of the Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine.

Cisco ACI MSO is an intersite network and policy orchestration solution that helps admins monitor the health of their organizations’ interconnected sites across multiple data centers.

Impacts only MSO 3.0 releases

“A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device,” Cisco explained.

Unauthenticated attackers may bypass authentication remotely on affected devices by sending a crafted request to exploit the improper token validation bug affecting the CISCO ACI MSO API endpoint.

Successful attacks allow the attackers to get an authentication token with admin-level privileges for authenticating to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.

The vulnerability (tracked as CVE-2021-1388 and with a 10/10 CVSS base score) only impacts Cisco ACI MSO 3.0 versions and ONLY when deployed on a Cisco Application Services Engine unified application hosting platform.

Even if you cannot immediately patch vulnerable routers, the Cisco Product Security Incident Response Team (PSIRT) says that it isn’t aware of public announcements or malicious use of the CVE-2021-1388 bug.

All customers are advised to immediately upgrade their installation to the Cisco ACI MSO 3.0(3m) release that addresses the critical security flaw and prevents exploitation attempts.

Cisco ACI Multi-Site Orchestrator Software Release First Fixed Release for This Vulnerability
Earlier than 2.2 Not vulnerable
2.2 Not vulnerable
3.01 3.0(3m)
3.1 Not vulnerable
3.2 Not vulnerable

1. Version 3.0(1i) is not vulnerable. All other 3.0 versions are vulnerable up to the first fixed release.

More critical and high severity patches

Today, Cisco also addressed a critical severity unauthorized access vulnerability (CVE-2021-1393) in the Cisco Application Services Engine.

After successful exploitation, they could “could allow an unauthenticated, remote attacker to access a privileged service on an affected device [..] to run containers or invoke host-level operations.”

The company also patched five more security vulnerabilities affecting Cisco FXOS Software, Cisco NX-OS Software, and Cisco UCS Software, with severity ratings ranging from high severity (8.1/10 CVSS base score) up to critical (9.8/10).

A full list of all security flaws addressed by Cisco today can be found on the company’s Security Advisories page.

In early-February, Cisco addressed multiple pre-auth remote code execution (RCE) vulnerabilities affecting small business VPN routers and allowing attackers to execute arbitrary code as root.