Cisco Application Services Engine Unauthorized Access Vulnerabilities [CVE-2021-1393 & CVE-2021-1396]

CVE numbers = CVE-2021-1393 & CVE-2021-1396

Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make limited configuration changes.

Vulnerable Products

These vulnerabilities affect Cisco Application Services Engine Software releases 1.1(3d) and earlier.

The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability.

Details about the vulnerabilities are as follows:

CVE-2021-1393: Cisco Application Services Engine Unauthorized Service Access Vulnerability

A vulnerability in Cisco Application Services Engine could allow an unauthenticated, remote attacker to access a privileged service on an affected device.

The vulnerability is due to insufficient access controls for a service running in the Data Network. An attacker could exploit this vulnerability by sending crafted TCP requests to a specific service. A successful exploit could allow the attacker to have privileged access to run containers or invoke host-level operations.

Bug ID(s): CSCvw14124
CVE ID: CVE-2021-1393
Security Impact Rating (SIR): Critical
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CVE-2021-1396: Cisco Application Services Engine Unauthorized API Access Vulnerability

A vulnerability in Cisco Application Services Engine could allow an unauthenticated, remote attacker access to a specific API on an affected device.

The vulnerability is due to insufficient access controls for an API running in the Data Network. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected API. A successful exploit could allow the attacker to learn device-specific information, create tech support files in an isolated volume, and make limited configuration changes.

Bug ID(s): CSCvw55819
CVE ID: CVE-2021-1396
Security Impact Rating (SIR): Medium
CVSS Base Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Further details available at – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-case-mvuln-dYrDPC6w