Cisco ACI Multi-Site Orchestrator Application Services Engine Deployment Authentication Bypass Vulnerability [CVE-2021-1388]

CVE number = CVE-2021-1388

A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device.

The vulnerability is due to improper token validation on a specific API endpoint. An attacker could exploit this vulnerability by sending a crafted request to the affected API. A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Vulnerable Products

This vulnerability affects Cisco ACI Multi-Site Orchestrator (MSO) running a 3.0 release of software only when deployed on a Cisco Application Services Engine.

The MSO can be deployed in the following ways:

• MSO cluster in a Cisco Application Services Engine. The MSO software image can be identified by an ‘aci’ extension.
• MSO nodes deployed as VMs on a Hypervisor. The MSO software image can be identified by an ‘ova’ extension.

Workarounds

• There are no workarounds that address this vulnerability.

Fixed Software

• Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license.