Cisco Patches Elastic Services Controller to Address Critical REST API Vulnerability
This week Cisco Systems Inc. posted a critical security advisory addressing a vulnerability in the REST API of its Elastic Services Controller (ESC). If successfully exploited, the vulnerability could let an unauthenticated, remote attacker bypass authentication on the REST API.
Cisco explained that the vulnerability was found during internal security tests and that it exists "due to improper validation of API requests." The vulnerability can be exploited if an attackers sends a crafted request to the REST API, which would allow them "to execute arbitrary actions through the REST API with administrative privileges on an affected system."
While there are no workarounds to address the REST API vulnerability, Cisco did release free software updates that are available to customers who have purchased a license. The vulnerability affects Cisco ESC running software release 4.1, 4.2, 4.3 or 4.4 when the REST API is enabled (note that it is not enabled by default). Cisco ESC software release 4.5 and prior to 4.1 are not vulnerable.
Administrators can use sudo netstat -tlnup | grep '8443|8080' and refer to the output of the command to determine whether the REST API is enabled on their Cisco ESC virtual machines.
Cisco also stated that its Product Security Incident Response Team (PSIRT) had not been aware of any any public announcements or malicious use of the vulnerability.
Wendy Hernandez is group managing editor for the 1105 Enterprise Computing Group.