Cisco has patched a critical vulnerability in the REST API of Cisco’s Elastic Services Controller that could lead to an attacker bypassing authentication on the REST API and take over affected systems.
Cisco’s Elastic Services Controller (ESC) is used as a single point of control to manage network functions virtualization (NFV) environments. ESC includes virtual machine (VM) and service monitoring, auto-recovery and dynamic scaling.
It’s important to call out the CVSS score of 10 on this ESC bug CVE-2019-1867, which is the highest possible vulnerability severity score. Organizations should make this a high priority to patch as soon as possible.
Cisco described the vulnerability in a new advisory released on Tuesday:
“The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system.”
The vulnerability impacts Cisco Elastic Services Controller running Software Release 4.1, 4.2, 4.3, or 4.4 when the REST API is enabled. Cisco also noted that the REST API is not enabled by default.
Cisco has provided software update to version 4.5 of Elastic Services Controller that addresses the vulnerability.