CVE-2021-1388
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to bypass authentication on Cisco ACI Multi-Site Orchestrator (MSO) by exploiting improper token validation in a specific API endpoint. Successful exploitation grants administrator-level tokens that can authenticate to both MSO and managed APIC devices. Organizations using affected Cisco ACI Multi-Site Orchestrator installations are at risk.
💻 Affected Systems
- Cisco ACI Multi-Site Orchestrator (MSO)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the ACI fabric with administrator access to all managed APIC devices, enabling data exfiltration, network disruption, and persistent backdoor installation.
Likely Case
Unauthorized administrative access to the MSO and potentially managed APIC devices, allowing configuration changes, policy manipulation, and credential harvesting.
If Mitigated
Limited impact if proper network segmentation, API endpoint restrictions, and monitoring are in place to detect and block exploitation attempts.
🎯 Exploit Status
The vulnerability requires sending crafted requests to a specific API endpoint, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0(1s) and later
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mso-authbyp-bb5GmBQv
Restart Required: Yes
Instructions:
1. Download the patch from Cisco's software download center. 2. Follow Cisco's upgrade guide for MSO on Application Services Engine. 3. Apply the update to version 3.0(1s) or later. 4. Restart the MSO service as required.
🔧 Temporary Workarounds
Restrict API Endpoint Access
allUse network access controls to limit access to the vulnerable API endpoint from untrusted networks.
🧯 If You Can't Patch
- Isolate the MSO device from untrusted networks using firewalls or network segmentation.
- Implement strict monitoring and alerting for authentication bypass attempts on the API endpoint.
🔍 How to Verify
Check if Vulnerable:
Check the MSO version via the web interface or CLI; versions before 3.0(1s) are vulnerable.Check Version:
show versionVerify Fix Applied:
Confirm the MSO version is 3.0(1s) or later and test authentication mechanisms.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts or token generation from unexpected IP addresses.
- API requests to the vulnerable endpoint without proper authentication logs.
Network Indicators:
- HTTP requests to the specific API endpoint with crafted parameters from external sources.
SIEM Query:
source="MSO" AND (event_type="authentication" AND result="failure") OR (url_path="/api/v1/auth/token" AND method="POST")