CISCO fixed three critical issued in Elastic Services Controller and Ultra Services Framework, admins have to manual patch them.

The last weekly security update list published by CISCO includes three critical vulnerabilities affecting the Elastic Services Controller and Ultra Services Framework.

The flaw, tracked as CVE-2017-6713, in the network function virtualisation management environment Elastic Services Controller is related to the use of static default credentials that would let a remote attacker access to all the instances of the controller’s UI.

“A vulnerability in the Play Framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to gain full access to the affected system.” reads the security advisory published by CISCO.

“The vulnerability is due to static, default credentials for the Cisco ESC UI that are shared between installations. An attacker who can extract the static credentials from an existing installation of Cisco ESC could generate an admin session token that allows access to all instances of the ESC web UI.”

As reported in the security advisory the same credentials are shared between multiple installations, allowing an attacker to generate an admin session token to access any instances of the Elastic Services Controller web UI.

A second issue, tracked as CVE-2017-6712, is a privilege escalation bug caused by the presence of the user ‘tomcat‘ having access to shell commands that lets that user overwrite any file on the system, and elevate their privilege to root.

“A vulnerability in certain commands of Cisco Elastic Services Controller could allow an authenticated, remote attacker to elevate privileges to root and run dangerous commands on the server.” states the advisory issued by CISCO.

“The vulnerability occurs because a “tomcat” user on the system can run certain shell commands, allowing the user to overwrite any file on the filesystem and elevate privileges to root. An exploit could allow an authenticated, remote attacker to elevate privileges and run dangerous commands on the server.”

Other issues affect the Ultra Services Framework’s (USF) automation service.

A first bug in the Ultra Services Framework’s (USF) automation service (CVE-2017-6711) is related to an insecure configuration of the Apache ZooKeeper service, which could be exploited by a remote attacker to get access to the orchestrator network.

“A vulnerability in the Ultra Automation Service (UAS) of the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted device.” states the advisory.

“The vulnerability is due to an insecure default configuration of the Apache ZooKeeper service used by the affected software. An attacker could exploit this vulnerability by accessing the affected device through the orchestrator network. An exploit could allow the attacker to gain access to ZooKeeper data nodes (znodes) and influence the behavior of the system’s high-availability feature.”

A second bug in the Ultra Services Framework’s (USF) automation service, tracked as CVE-2017-6714, resides in the staging server and could lead Arbitrary Command Execution.

“A vulnerability in the AutoIT service of Cisco Ultra Services Framework Staging Server could allow an unauthenticated, remote attacker to execute arbitrary shell commands as the Linux root user.” states the advisory.

“The vulnerability is due to improper shell invocations. An attacker could exploit this vulnerability by crafting CLI command inputs to execute Linux shell commands as the root user. An exploit could allow the attacker to execute arbitrary shell commands as the Linux root user.”

The last issue in the Ultra Services Framework AutoVNF is a Log File User Credential Information Disclosure Vulnerability (CVE-2017-6709) in the USF’s AutoVNF.

The use of Admin credentials is logged in clear text, an attacker can retrieve them accessing the logfile’s URL.

A vulnerability in the AutoVNF tool for the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to access administrative credentials for Cisco Elastic Services Controller (ESC) and Cisco OpenStack deployments in an affected system.

“The vulnerability exists because the affected software logs administrative credentials in clear text for Cisco ESC and Cisco OpenStack deployment purposes. An attacker could exploit this vulnerability by accessing the AutoVNF URL for the location where the log files are stored and subsequently accessing the administrative credentials that are stored in clear text in those log files. A successful exploit could allow the attacker to access the administrative credentials for Cisco ESC and Cisco OpenStack deployments in the affected system, which the attacker could use to conduct additional attacks.” states the advisory.

“The same product also has a symbolic link error that exposes the system to arbitrary file read and malicious code execution.”

Pierluigi Paganini

(Security Affairs – CISCO, hacking)

Share this...

Linkedin Reddit Pinterest

Share On