ESB-2017.2049 - [Appliance] Cisco Application Policy Infrastructure Controller: Unauthorised access - Existing account 2017-08-17

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2049
          Cisco Application Policy Infrastructure Controller SSH
                    Privilege Escalation Vulnerability
                              17 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Application Policy Infrastructure Controller
Publisher:         Cisco Systems
Operating System:  Network Appliance
Impact/Access:     Unauthorised Access -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-6767  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170816-apic1

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security Advisory

Cisco Application Policy Infrastructure Controller SSH Privilege Escalation Vulnerability

High

Advisory ID: cisco-sa-20170816-apic1

First Published: 2017 August 16 16:00  GMT

Version 1.0: Final

Workarounds: Yes

Cisco Bug IDs: CSCvc34335

CVSS Score: Base 7.1, Temporal 7.1

CVE-2017-6767
CWE-264

Summary

A vulnerability in Cisco Application Policy Infrastructure Controller
(APIC) could allow an authenticated, remote attacker to gain higher
privileges than the account is assigned. The attacker will be granted
the privileges of the last user to log in, regardless of whether those
privileges are higher or lower than what should have been granted. The
attacker cannot gain root-level privileges.

The vulnerability is due to a limitation with how Role-Based Access
Control (RBAC) grants privileges to remotely authenticated users when
login occurs via SSH directly to the local management interface of the
APIC. An attacker could exploit this vulnerability by authenticating to
the targeted device. The attacker's privilege level will be modified to
match that of the last user to log in via SSH. An exploit could allow
the attacker to gain elevated privileges and perform CLI commands that
should be restricted by the attacker's configured role.

Cisco has released software updates that address this
vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170816-apic1

Affected Products

Vulnerable Products
This vulnerability affects Cisco APIC under the following conditions:
The attacker uses SSH to connect to the local management interface
of the APIC.
The attacker uses a remote user credential, which means that the
authentication is done by a remote authentication server (for
example, TACACS or RADIUS).
The attacker has valid user credentials for the remote user.
Cisco APIC is not vulnerable under these conditions:
A locally configured user on the device is not vulnerable.
If the remote connection to the APIC is done via the
Representational State Transfer (REST) API or GUI, the device is
not vulnerable. However, if the Launch SSH feature within the GUI
is used, it could be vulnerable if remote authentication is used.
All software versions prior to the first fixed release are
vulnerable. For information about fixed software releases, consult
the Fixed Software section of this advisory.

To determine which release of APIC is running on a device, administrators
can use the CLI command show version. The following example shows the
output of the command for a device running software release 1.2(3m):

APIC# show version

Role        Id          Name                      Version
- ----------  ----------  ------------------------  --------------------
controller  1           APIC                      1.2(3m)
.
.
.


Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this
vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco
Application Policy Infrastructure Controller Enterprise Module (APIC-EM).

Workarounds

There are workarounds that address this vulnerability. On the remote
authentication server, each remote user can be configured with a
Cisco Attribute-Value (AV) Pair, which includes a unique UNIX User
Identifier. If this AV Pair is not present, then all users are
assigned the same default UNIX User Identifier, which results in
the vulnerability. For additional information on this configuration,
please refer to Externally Managed Authentication Server Users Cisco
AV Pair Format. Please contact the Cisco TAC if additional assistance
is needed with this configuration.

In addition, while not workarounds, there are mitigations that can
be used. This vulnerability only exists when SSH is used to connect
to the local management interface of the APIC. If the connection uses
the REST API or GUI interface, this vulnerability does not exist.

Fixed Software

Cisco has released free software updates that address the
vulnerability described in this advisory. Customers may only
install and expect support for software versions and feature
sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

Additionally, customers may only download software for which they
have a valid license, procured from Cisco directly, or through a
Cisco authorized reseller or partner. In most cases this will be a
maintenance upgrade to software that was previously purchased. Free
security software updates do not entitle customers to a new software
license, additional software feature sets, or major revision upgrades.

When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from
the Cisco Security Advisories and Alerts page, to determine exposure
and a complete upgrade solution.

In all cases, customers should ensure that the devices to upgrade
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their contracted
maintenance providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco TAC:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a
free upgrade.

Fixed Releases

Customers should upgrade to an appropriate release as indicated in
the table in this section. To help ensure a complete upgrade solution,
consider that this advisory is part of a collection that includes the
following advisories:

cisco-sa-20170816-apic1: Cisco Application Policy Infrastructure Controller SSH Privilege Escalation Vulnerability
cisco-sa-20170816-apic2: Cisco Application Policy Infrastructure Controller Custom Binary Privilege Escalation Vulnerability

In the following table, the left column lists major releases of
Cisco software. The center column indicates whether a major release
is affected by the vulnerability described in this advisory and the
first minor release that includes the fix for this vulnerability. The
right column indicates whether a major release is affected by all the
vulnerabilities described in this collection of advisories and the
current recommended release for those vulnerabilities.

Cisco Application Policy 	First Fixed Release 		Recommended Release for This Vulnerability and 
Infrastructure Controller	for This Vulnerability		All Vulnerabilities Described in the Collection of Advisories

Prior to 2.0			Vulnerable; migrate to 2.2(2e)	2.2(2e)
2.0				Vulnerable; migrate to 2.2(2e)	2.2(2e)
2.1				Vulnerable; migrate to 2.2(2e)	2.2(2e)
2.2				2.2(2e)				2.2(2e)
2.3				2.3(1f)				2.3(1f)
3.0 (future release)		Not Vulnerable			Not Vulnerable

The software updates can be downloaded from the Software Center on
Cisco.com by navigating to Products > Cloud and Systems Management >
Policy and Automation Controllers > Application Policy Infrastructure
Controller (APIC).

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware
of any public announcements or malicious use of the vulnerability that
is described in this advisory.

Source

This vulnerability was found during resolution of a Cisco TAC support
case.

URL

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170816-apic1

Revision History

Version		Description		Section		Status	Date
1.0		Initial public release.	--		Final	2017-August-16

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE
DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO
RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits
the distribution URL is an uncontrolled copy and may lack important
information or contain factual errors. The information in this document
is intended for end users of Cisco products.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWZUV84x+lLeg9Ub1AQjwbw/+LAB8BrG+16/yeNMtmSE6VBUFTJ+bSAuz
JMnEe2HjNRQhcQ6GXABLRNKbTdpB3Z98Q23x2demEvW616FivMMpJ/I24Q9JQOXF
xTNeII4ref611pdZcRZxuhFiX1eRq/Pz15XlQ9SGjUFVfSXawqkMArskxixbkArY
YviuVdSQr4AbuLjy0GgChpp/tiu84MzqId9RUXMP2SUFv5H2QnSCviHpJ1VVSwY1
Jw6fTH8dgxvgDuxZDSyHnEEl8/Oq01IQzRI/PygrAZZPwn5A8NjlB7Rfbg5ZpJh2
oNP3U6+FWCZSixja/htLMiDVNLYtpTlJ6uJKabwO0kkjtH/Ll9/kuTvn5DK1QQij
a+7dZgKBuN2wPhMscwL2SLvitA8GkxfED9OCul76KBnOG34uVt1y09pe0+LUqCjZ
6/ndPBo5NWS1KtN62KHRa/gmvclyLsUQIH4FofuDoKLw6hI7ubJ5h2bdm7qVlkD3
Vdj7YjlUMUmFY2fH/3tRwO9nuf2+QVgAHbuvCqVhQyhVoQibWhKPGp5KaHh9GKod
IrPBPU+aq5XST29Qu3bPPPPfvIPqqfhiOONFNOK1DuxfFGxNhLaKYNHI6A0m91Hf
lFqR4UoO/7mATOZoS8g5x/X6boEyqA03S2AXgt36v/xc9NuxHyD0XOXbOyImNt3z
/LAlkleH6yM=
=Lb/+
-----END PGP SIGNATURE-----

« Back to bulletins