Just days after disclosing a critical bug in its Nexus switches, Cisco is warning customers of an even more dangerous flaw in the REST application programming interface (API) of its Elastic Services Controller (ECS).
Even without a valid password, a remote attacker can bypass Cisco’s vulnerable REST API’s authentication system.
Cisco notes the severity of the bug has a score of 10 out of a possible 10, signaling that this particular bug is extremely risky for customers. The rating is due to the fact that the bug is remotely exploitable and doesn't require a high skill level to attack.
The company warns that an attacker could exploit the flaw to take full control of a vulnerable system.
“The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system,” it notes.
Despite the high severity rating, Cisco notes that devices running the software are not vulnerable if REST API is disabled, which is its default state. The company is not aware of any attacks that uses this vulnerability, which was found during internal testing.
Cisco doesn’t give away much about the bug other than that the flaw affects ECS devices running software release 4.1, 4.2, 4.3, or 4.4 when the REST API is enabled.
The bug has been removed from ECS release 4.5, which Cisco released in April.
ESC is an enterprise tool for managing virtualized networks that Cisco calls a Virtual Network Functions Manager. It is used to manage the lifecycle of virtual network functions.
ECS is part of the company’s network functions virtualization portfolio for data centers, which includes its Nexus switches for data centers.
The company last week warned customers that its NX-OS operating system for Nexus 9000 series devices contained a Secure Shell key pair that could be nabbed by hackers to connect to the devices over IPv6.
The bug was one of several the company fixed in NX-OS Software release 14.1(1i). It had a severity rating of 9.8 out of 10.
The last time Cisco disclosed a bug with a 10 out of 10 severity rating regarded a bug disclosed in January 2018 that affected its Adaptive Security Appliance (ASA) software. Within a month hackers began exploiting it, prompting additional patches from Cisco.