ESB-2021.2871

Operating System:

Published:

26 August 2021

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Resources > Security Bulletins > ESB-2021.2871

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.2871
Cisco Application Policy Infrastructure Controller security update
26 August 2021

===========================================================================

AusCERT Security Bulletin Summary
---------------------------------

Product: Application Policy Infrastructure Controller
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Existing Account
Create Arbitrary Files -- Remote/Unauthenticated
Cross-site Scripting -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-1582 CVE-2021-1581 CVE-2021-1580
CVE-2021-1579 CVE-2021-1578 CVE-2021-1577

Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-chvul-CKfGYBh8
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-frw-Nt3RYxR2
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-mdvul-HBsJBuvW
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-pesc-pkmGK4J
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-scss-bFT75YrM

Comment: This bulletin contains five (5) Cisco Systems security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Application Policy Infrastructure Controller App Privilege Escalation
Vulnerability

Priority: High
Advisory ID: cisco-sa-capic-chvul-CKfGYBh8
First Published: 2021 August 25 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvw57164
CVE Names: CVE-2021-1579
CWEs: CWE-250

Summary

o A vulnerability in an API endpoint of Cisco Application Policy
Infrastructure Controller (APIC) and Cisco Cloud Application Policy
Infrastructure Controller (Cloud APIC) could allow an authenticated, remote
attacker with Administrator read-only credentials to elevate privileges on
an affected system.

This vulnerability is due to an insufficient role-based access control
(RBAC). An attacker with Administrator read-only credentials could exploit
this vulnerability by sending a specific API request using an app with
admin write credentials. A successful exploit could allow the attacker to
elevate privileges to Administrator with write privileges on the affected
device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-chvul-CKfGYBh8

Affected Products

o Vulnerable Products

This vulnerability affects Cisco APIC and Cisco Cloud APIC devices if they
have installed and enabled apps with admin write privileges.

To determine if a device has admin write enabled apps, do the following:

1. Open the web UI and click the Apps tab.
2. Hover the mouse pointer over an installed and enabled app ( Open is
displayed). Four icons will appear in the upper right.
3. Click the left-most icon to see the Permissions and Permission Level of
the app. If Permissions:admin and Permission Level:write are displayed,
the device is affected by this vulnerability.

For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Workarounds

o There are no workarounds that address this vulnerability. However,
administrators may disable or remove all apps with admin write privileges
enabled.

To disable or remove these apps, do the following:

1. Open the web UI and click the Apps tab.
2. Hover the mouse pointer over an installed and enabled app ( Open is
displayed). Four icons will appear in the upper right.
3. To disable the app, click the icon that is a circle with a line. To
remove the app, click the icon that is an X.

While this mitigation has been deployed and was proven successful in a test
environment, customers should determine the applicability and effectiveness
in their own environment and under their own use conditions. Customers
should be aware that any workaround or mitigation that is implemented may
negatively impact the functionality or performance of their network based
on intrinsic customer deployment scenarios and limitations. Customers
should not deploy any workarounds or mitigations before first evaluating
the applicability to their own environment and any impact to such
environment.

Fixed Software

o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.

When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.

In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

In the following table(s), the left column lists Cisco software releases.
The right column indicates whether a release is affected by the
vulnerability described in this advisory and the first release that
includes the fix for this vulnerability. Customers are advised to upgrade
to an appropriate fixed software release as indicated in this section.

Cisco APIC or Cisco Cloud APIC Software Release First Fixed Release
Earlier than 3.2 Migrate to a fixed release.
3.2 3.2(10f)
4.0 Migrate to a fixed release.
4.1 Migrate to a fixed release.
4.2 4.2(7l)
5.0 Migrate to a fixed release.
5.1 Migrate to a fixed release.
5.2 5.2(2f)

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing by the Cisco
Advanced Security Initiatives Group (ASIG).

Cisco Security Vulnerability Policy

o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-chvul-CKfGYBh8

Revision History

o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2021-AUG-25 |
+----------+---------------------------+----------+--------+--------------+

- --------------------------------------------------------------------------------

Cisco Application Policy Infrastructure Controller Arbitrary File Read and
Write Vulnerability

Priority: Critical
Advisory ID: cisco-sa-capic-frw-Nt3RYxR2
First Published: 2021 August 25 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvw57556
CVE Names: CVE-2021-1577
CWEs: CWE-284

Summary

o A vulnerability in an API endpoint of Cisco Application Policy
Infrastructure Controller (APIC) and Cisco Cloud Application Policy
Infrastructure Controller (Cloud APIC) could allow an unauthenticated,
remote attacker to read or write arbitrary files on an affected system.

This vulnerability is due to improper access control. An attacker could
exploit this vulnerability by using a specific API endpoint to upload a
file to an affected device. A successful exploit could allow the attacker
to read or write arbitrary files on an affected device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-frw-Nt3RYxR2

Affected Products

o Vulnerable Products

This vulnerability affects Cisco APIC and Cisco Cloud APIC.

For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco APIC or Cisco Cloud APIC Software Release First Fixed Release
Earlier than 3.2 Migrate to a fixed release.
3.2 3.2(10e)
4.0 Migrate to a fixed release.
4.1 Migrate to a fixed release.
4.2 4.2(6h)
5.0 Migrate to a fixed release.
5.1 5.1(3e)
5.2 Not vulnerable.

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing by the Cisco
Advanced Security Initiatives Group (ASIG).

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-frw-Nt3RYxR2

Revision History

- --------------------------------------------------------------------------------

Cisco Application Policy Infrastructure Controller Command Injection and File
Upload Vulnerabilities

Priority: Medium
Advisory ID: cisco-sa-capic-mdvul-HBsJBuvW
First Published: 2021 August 25 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvw57577 CSCvw57581
CVE Names: CVE-2021-1580 CVE-2021-1581
CWEs: CWE-284 CWE-78

Summary

o Multiple vulnerabilities in the web UI and API endpoints of Cisco
Application Policy Infrastructure Controller (APIC) or Cisco Cloud APIC
could allow a remote attacker to perform a command injection or file upload
attack on an affected system.

For more information about these vulnerabilities, see the Details section
of this advisory.

Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-mdvul-HBsJBuvW

Affected Products

o Vulnerable Products

At the time of publication, these vulnerabilities affected Cisco APIC and
Cloud APIC.

For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory. See the Details section in the bug
ID(s) at the top of this advisory for the most complete and current
information.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.

Details

o The vulnerabilities are not dependent on one another. Exploitation of one
of the vulnerabilities is not required to exploit the other vulnerability.
In addition, a software release that is affected by one of the
vulnerabilities may not be affected by the other vulnerability.

Details about the vulnerabilities are as follows:

CVE-2021-1580: Cisco APIC Command Injection Vulnerability

A vulnerability in the web UI of Cisco APIC or an API endpoint of Cisco
Cloud APIC could allow an authenticated, remote attacker to perform a
command injection attack on an affected device.

This vulnerability is due to improper input validation in the web UI and
API endpoint. An attacker with high privileges could exploit this
vulnerability by injecting crafted input during a specific command
execution. A successful exploit could allow the attacker to execute
arbitrary commands with root -level privileges on an affected device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

Bug ID(s): CSCvw57577
CVE ID: CVE-2021-1580
Security Impact Rating (SIR): Medium
CVSS Base Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE-2021-1581: Cisco APIC File Upload Vulnerability

A vulnerability in an API endpoint of Cisco APIC or Cisco Cloud APIC could
allow an unauthenticated, remote attacker to upload files on an affected
device.

This vulnerability is due to improper access control. An attacker could
exploit this vulnerability by using a specific API endpoint to upload files
on an affected device. A successful exploit could allow the attacker to
fill the upload partition of the affected device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

Bug ID(s): CSCvw57581
CVE ID: CVE-2021-1581
Security Impact Rating (SIR): Medium
CVSS Base Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Workarounds

o There are no workarounds that address these vulnerabilities.

Fixed Software

o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.

Fixed Releases

At the time of publication, the release information in the following table
(s) was accurate. See the Details section in the bug ID(s) at the top of
this advisory for the most complete and current information.

The left column lists Cisco software releases, and the right column
indicates whether a release was affected by the vulnerabilities described
in this advisory and which release included the fix for these
vulnerabilities.

APIC Command Injection Vulnerability: CSCvw57577

Cisco APIC and Cloud APIC Release First Fixed Release for This
Vulnerability
Earlier than 3.2 Migrate to a fixed release.
3.2 3.2(10e)
4.0 Migrate to a fixed release.
4.1 Migrate to a fixed release.
4.2 4.2(6h)
5.0 Migrate to a fixed release.
5.1 5.1(3e)
5.2 5.2(1g)

APIC File Upload Vulnerability: CSCvw57581

Cisco APIC and Cloud APIC Release First Fixed Release for This
Vulnerability
Earlier than 3.2 Migrate to a fixed release.
3.2 3.2(10f)
4.0 Migrate to a fixed release.
4.1 Migrate to a fixed release.
4.2 4.2(7l)
5.0 Migrate to a fixed release.
5.1 Migrate to a fixed release.
5.2 5.2(1g)

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerabilities that are
described in this advisory.

Source

o These vulnerabilities were found during internal security testing by the
Cisco Advanced Security Initiatives Group (ASIG).

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-mdvul-HBsJBuvW

Revision History

- --------------------------------------------------------------------------------

Cisco Application Policy Infrastructure Controller Privilege Escalation
Vulnerability

Priority: High
Advisory ID: cisco-sa-capic-pesc-pkmGK4J
First Published: 2021 August 25 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvw57550
CVE Names: CVE-2021-1578
CWEs: CWE-636

Summary

o A vulnerability in an API endpoint of Cisco Application Policy
Infrastructure Controller (APIC) and Cisco Cloud Application Policy
Infrastructure Controller (Cloud APIC) could allow an authenticated, remote
attacker to elevate privileges to Administrator on an affected device.

This vulnerability is due to an improper policy default setting. An
attacker could exploit this vulnerability by using a non-privileged
credential for Cisco ACI Multi-Site Orchestrator (MSO) to send a specific
API request to a managed Cisco APIC or Cloud APIC device. A successful
exploit could allow the attacker to obtain Administrator credentials on the
affected device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-pesc-pkmGK4J

Affected Products

o Vulnerable Products

This vulnerability affects Cisco APIC or Cisco Cloud APIC devices if they
are running a vulnerable software release and the following conditions are
true:

The device is managed by Cisco ACI MSO.
The Cisco ACI MSO is Release 3.0(2d) through Release 3.1(1i).
The Cisco ACI MSO is installed on a Cisco Application Services Engine.

For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco APIC or Cisco Cloud APIC Software Release First Fixed Release
Earlier than 3.2 Not vulnerable
3.2 Not vulnerable.
4.0 Not vulnerable.
4.1 Not vulnerable.
4.2 Not vulnerable.
5.0 Migrate to a fixed release.
5.1 5.1(3e)
5.2 Not vulnerable.

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing by the Cisco
Advanced Security Initiatives Group (ASIG).

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-pesc-pkmGK4J

Revision History

- --------------------------------------------------------------------------------

Cisco Application Policy Infrastructure Controller Stored Cross-Site Scripting
Vulnerability

Priority: Medium
Advisory ID: cisco-sa-capic-scss-bFT75YrM
First Published: 2021 August 25 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvy64858
CVE Names: CVE-2021-1582
CWEs: CWE-79

Summary

o A vulnerability in the web UI of Cisco Application Policy Infrastructure
Controller (APIC) or Cisco Cloud APIC could allow an authenticated, remote
attacker to perform a stored cross-site scripting attack on an affected
system.

This vulnerability is due to improper input validation in the web UI. An
authenticated attacker could exploit this vulnerability by sending
malicious input to the web UI. A successful exploit could allow the
attacker to execute arbitrary script code in the context of the web-based
interface or access sensitive, browser-based information.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-scss-bFT75YrM

Affected Products

o Vulnerable Products

At the time of publication, this vulnerability affected Cisco APIC and
Cisco Cloud APIC.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Fixed Releases

The left column lists Cisco software releases, and the right column
indicates whether a release was affected by the vulnerability described in
this advisory and which release included the fix for this vulnerability.

1. Releases 5.2(1h) (Cloud APIC only), 5.2(2f), and later have the fix for
this vulnerability.

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o Cisco would like to thank Adrien Peter, Pierre Milioni, and Clement Amic of
Synacktiv for reporting this vulnerability.

Cisco Security Vulnerability Policy

Related to This Advisory

o Cross-Site Scripting

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-scss-bFT75YrM

Revision History

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYSbh0uNLKJtyKPYoAQg76hAAmr5gv2VPhQYNoxlTR0aMmAqdw9KUG0+N
wPiHCa0ZjH1NgjN3SYo3tJP4Lt7FZmRmh6YXCHHECNrBJodRhbqhOZW7WqzdsWzo
FPb5Skwbpzb5lrG78HtrArrN8f5y15xjAfsDR3gXWI27LgFVtzuIfFsuwB0Oeczj
Ewjgx53wE5ywRa+xj+/j5CjzABg6GsVe+CrbsTGB4WO6PwQDYakZwgIg3IZ8mGxU
8BWXev4c1hGjGAMLPk3PkLF/ByNRcQsMZ0f+mMoTRHLvjhnKUT4T51U7KH4VstPr
0vHqMnQJ2Zko0tb9SOwS3xqIpFIw7Nsl/5LHWvhyGmkQuRCjsjqx6x6kTN3ssOWR
TG5h/547FF8YCGLLKLfiVwzaz1Q5/MkvJ46sCA9djZkt7uawvW+AiC80RZq7FvTi
JvyZ+7JU2OGvxKkF8miEZy1m47iJ7lnY473MmXzqtLR7RJwCVA0Yr+uzuMHPQRwb
pjlFvvS6xzJKwBgfHdzCULGowuJfSKi9c870nh0sidnRVNHkYn3zYMSxRz9bf2aa
rlOwaQgJeMW8Xk3hDamYT1FhifFACjyKJe0ZUDDKRwSYMF8u2tP9xTipi3WCesT2
JZtQIMcWebLgTVj5gFRsaCn/1/XrMRuRyb9qDMB7xDgXugX1p8TBJ+tTMQRmKHFf
fKWD66cfLNY=
=r1zq
-----END PGP SIGNATURE-----