Detections
Analytics

Cisco Application Services Engine Unauthorized Access Vulnerabilities (cisco-sa-case-mvuln-dYrDPC6w)

critical Nessus Plugin ID 151019

Language:

Synopsis

The remote device is missing a vendor-supplied security patch

Description

According to its self-reported version, Cisco Application Services Engine affected by multiple Unauthorized Access Vulnerabilities.

 - A vulnerability in Cisco Application Services Engine could allow an unauthenticated, remote attacker to access a privileged service on an affected device. The vulnerability is due to insufficient access controls for a service running in the Data Network. An attacker could exploit this vulnerability by sending crafted TCP requests to a specific service. A successful exploit could allow the attacker to have privileged access to run containers or invoke host-level operations. (CVE-2021-1393)

 - A vulnerability in Cisco Application Services Engine could allow an unauthenticated, remote attacker access to a specific API on an affected device. The vulnerability is due to insufficient access controls for an API running in the Data Network. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected API. A successful exploit could allow the attacker to learn device-specific information, create tech support files in an isolated volume, and make limited configuration changes.
 (CVE-2021-1396)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvw14124, CSCvw55819

See Also

http://www.nessus.org/u?c9c60100

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw14124

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw55819

Plugin Details

Severity: Critical

ID: 151019

File Name: cisco-sa-case-mvuln-dYrDPC6w.nasl

Version: 1.2

Type: remote

Family: CISCO

Published: 6/28/2021

Updated: 6/28/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-1393

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:application_services_engine

Required KB Items: installed_sw/Cisco Application Services Engine

Exploit Ease: No known exploits are available

Patch Publication Date: 2/24/2021

Vulnerability Publication Date: 2/24/2021

Reference Information

CVE: CVE-2021-1393, CVE-2021-1396