Security Intelligence FeedWe’ve got your back, even when you don’t know it.

Our analysts are on top of the latest developments in cyber security. This feed is our way to share our findings and research to help you better understand the ever-changing security landscape while continuing to give you the peace of mind that Covalence is always protecting you.

Get the RSS Follow us on Twitter

Cisco Fixes a Critical Severity Flaw in ACI MSO

On 24 February 2021, Cisco fixed a critical vulnerability in their Application Centric Infrastructure (ACI) Multi-Site Orchestrator (MSO).  This vulnerability ranked ranked 10 out of 10 on the Common Vulnerability Scoring System (CVSS) scale.


Details

  • The flaw, tracked as CVE-2021-1388, is in the Cisco ACI Multi-Site Orchestrator (MSO) – Cisco Systems’ inter-site policy manager software.
  • The flaw impacts only Cisco ACI MSO 3.0 versions installed on the Application Services Engine and could allow a remote attacker to bypass authentication on an affected device.
  • According to Cisco, a malicious actor could use the flaw to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.

 

Why it’s important

  • Although Cisco is not aware of any attempts to abuse the flaw for malicious purposes, its maximum severity signifies the ease of exploitation and may attract malicious actors to take advantage of the flaw in the near future.
  • We recommend reviewing the list of products affected and applying updates using guidance in the References section below.
  • In order to leverage this flaw, a threat actor needs to access the API.  Restricting API access to known systems is a great defense-in-depth strategy that can limit exposure to these types of vulnerabilities.

 

References:

Cisco Security Advisory

Sophisticated Attacks Abused Chain of Flaws in Q1 2020

Google’s Project Zero reported on a chain of vulnerabilities used in Q1 2020 by what is believed to be a sophisticated threat actor.


Details

  • Targeting Windows and Android users, the threat actor chained together multiple flaws and delivered them from two separate servers using a watering-hole method.
  • The exploit chain consisted of multiple previously-unknown vulnerabilities (0-days): four in Chrome and two in Windows. Patches for all of these vulnerabilities were available at the time of the reporting.
  • The methods used in the campaign show a “well-resourced actor” with expert knowledge of engineering, coding, logging, post-exploitation techniques, and anti-analysis methods.

 

Why it’s important

  • Some of the vulnerabilities mentioned in the report do not appear dangerous on their own and are more likely to fly under the radar of security professionals.
  • When vulnerabilities are chained together they can present a high threat.
  • Systems that don’t have auto-updates enabled may be vulnerable to the Chrome or Windows vulnerabilities mentioned in the report.
  • We recommend patching as soon as possible using guidance in the References section below.

 

Covalence monitoring would have alerted clients if their systems were out of date, reducing the risk to these types of campaigns.

 

References: Google Project Zero, ThreatPost