Cisco fixes maximum severity MSO auth bypass vulnerability

Posted by & filed under Security Alerts.

Cisco has addressed a maximum severity authentication bypass vulnerability found in the API endpoint of the Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine.

Cisco ACI MSO is an intersite network and policy orchestration solution that helps admins monitor the health of their organizations’ interconnected sites across multiple data centers.

Impacts only MSO 3.0 releases

“A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device,” Cisco explained.

Unauthenticated attackers may bypass authentication remotely on affected devices by sending a crafted request to exploit the improper token validation bug affecting the CISCO ACI MSO API endpoint.

Successful attacks allow the attackers to get an authentication token with admin-level privileges for authenticating to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.

The vulnerability (tracked as CVE-2021-1388 and with a 10/10 CVSS base score) only impacts Cisco ACI MSO 3.0 versions and ONLY when deployed on a Cisco Application Services Engine unified application hosting platform.

Even if you cannot immediately patch vulnerable routers, the Cisco Product Security Incident Response Team (PSIRT) says that it isn’t aware of public announcements or malicious use of the CVE-2021-1388 bug.

All customers are advised to immediately upgrade their installation to the Cisco ACI MSO 3.0(3m) release that addresses the critical security flaw and prevents exploitation attempts.


Cisco ACI Multi-Site Orchestrator Software Release First Fixed Release for This Vulnerability
Earlier than 2.2 Not vulnerable
2.2 Not vulnerable
3.01 3.0(3m)
3.1 Not vulnerable
3.2 Not vulnerable

1. Version 3.0(1i) is not vulnerable. All other 3.0 versions are vulnerable up to the first fixed release.

More critical and high severity patches

Today, Cisco also addressed a critical severity unauthorized access vulnerability (CVE-2021-1393) in the Cisco Application Services Engine.

After successful exploitation, they could “could allow an unauthenticated, remote attacker to access a privileged service on an affected device [..] to run containers or invoke host-level operations.”

The company also patched five more security vulnerabilities affecting Cisco FXOS Software, Cisco NX-OS Software, and Cisco UCS Software, with severity ratings ranging from high severity (8.1/10 CVSS base score) up to critical (9.8/10).

A full list of all security flaws addressed by Cisco today can be found on the company’s Security Advisories page.

In early-February, Cisco addressed multiple pre-auth remote code execution (RCE) vulnerabilities affecting small business VPN routers and allowing attackers to execute arbitrary code as root.


The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.