Cisco issues patches for high-end software systems ACI, Application Services Engine and NX-OS operating system. Credit: reklamlar / Getty Images Cisco has issued three security advisories rated “critical” for some of its high-end software systems—two aimed at its Application Services Engine (ASE) implementation and one at the NX-OS operating system. The most concerning warning came for Cisco Application Centric Infrastructure (ACI) Multi-Site Orchestrator (MSO) installed with the ASE which was rated a worse-case scenario, 10 out of a possible 10 on the Common Vulnerability Scoring System (CVSS). The ACI Multi-Site Orchestrator lets customers control application-access policies across Cisco Application Policy Infrastructure Controller-based fabrics. According to the advisory, a vulnerability in an API endpoint of Cisco ACI MSO installed on the ASE could let an unauthenticated, remote attacker bypass authentication on an affected device. A successful exploit could let the attacker receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices. The vulnerability is due to improper token validation on a specific API endpoint and affects Cisco ACI MSO running a 3.0 release of software only when deployed on a Cisco ASE, Cisco stated. The second critical warning is about the ASE itself, where Cisco says there are multiple weaknesses – that overall rate a 9.8 out of 10 on the CVSS scale, including: A weakness that would let an attacker have privileged access to run containers or invoke host-level operations. The vulnerability is due to insufficient access controls for a service running in the Data Network. An attacker could exploit this vulnerability by sending crafted TCP requests to a specific service, Cisco stated. A vulnerability that could allow an unauthenticated, remote attacker access to a specific API on an affected device. A successful exploit could allow the attacker to learn device-specific information, create tech support files in an isolated volume, and make limited configuration changes. The vulnerability is due to insufficient access controls for an API running in the Data Network. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected API. A successful exploit could allow the attacker to learn device-specific information, create tech support files in an isolated volume, and make limited configuration changes, Cisco stated. The final critical warning, rated 9.8 out of 10, is in the NS-OX operating system for Cisco’s Nexus switches. Cisco says an exposure in the implementation of an internal file management service for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode that are running Cisco NX-OS could let an unauthenticated, remote attacker create, delete, or overwrite arbitrary files with root privileges on the device. “This vulnerability exists because TCP port 9075 is incorrectly configured to listen and respond to external connection requests,” Cisco stated. “An attacker could exploit this vulnerability by sending crafted TCP packets to an IP address that is configured on a local interface on TCP port 9075. A successful exploit could allow the attacker to create, delete, or overwrite arbitrary files, including sensitive files that are related to the device configuration,” Cisco stated. “For example, the attacker could add a user account without the device administrator knowing,” the vendor stated. Cisco has released free software updates that address the critical vulnerabilities and advises customers to go here for more information. There were number of other less serious advisories issued around the NS-OX and Nexus switch portfolio as well. They included one that described a vulnerability in the NX-API feature of Cisco NX-OS Software could let an unauthenticated, remote attacker conduct a cross-site request forgery (CSRF) attack on an affected system. A successful exploit could let the attacker perform arbitrary actions with the privilege level of the affected user. The attacker could view and modify the device configuration, Cisco stated. Another warning described a vulnerability in the fabric infrastructure VLAN connection establishment of Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) Mode could allow an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN. With a connection to the infrastructure VLAN, the attacker can make unauthorized connections to Cisco APIC services or join other host endpoints, Cisco stated. Cisco said it has released free software updates to address these issues. Related content news analysis Red Hat unveils image mode for its Linux distro New container image deployment method for Red Hat Enterprise Linux is aimed at helping enterprises streamline operations and management. By Maria Korolov May 09, 2024 5 mins Linux Networking news Insecure protocols leave networks vulnerable: report The Cato CTRL SASE Threat Report reveals the trusted traffic networks must stop, as many enterprises still rely on the use of insecure protocols such as HTTP, Telnet and early versions of SMB. By Denise Dubie May 09, 2024 4 mins SASE Network Security Networking feature What is a digital twin and why is it important to IoT? Digital twins are virtual replicas of physical devices that IT pros and data scientists can use to run simulations before actual devices are built and deployed. Digital twins can also take real-time IoT data and apply AI and data analytics to optimiz By Josh Fruhlinger and Keith Shaw May 09, 2024 17 mins Internet of Things Network Security Networking news 2024 global network outage report and internet health check ThousandEyes tracks internet and cloud traffic and provides Network World with weekly updates on the performance of ISPs, cloud service providers, and UCaaS providers. By Ann Bednarz May 08, 2024 43 mins Internet Service Providers Network Management Software Cloud Computing PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe