Cisco has addressed a maximum severity vulnerability in its Application Centric Infrastructure (ACI) Multi-Site Orchestrator (MSO) due to improper token validation on a specific API endpoint. The company published security patches for critical flaws affecting its products. This vulnerability affects Cisco ACI Multi-Site Orchestrator (MSO) running a 3.0 release of software only when deployed on a Cisco Application Services Engine.
Improper token validation on a specific API
Improper token validation on a specific API endpoint caused this flaw. An attacker could exploit this vulnerability by sending a crafted request to the affected API. The bug is tracked as CVE-2021-1388, which ranks 10 on the CVSS vulnerability scoring system.
According to the announcement, a successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.
Customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases, this will be a maintenance upgrade to software that was previously purchased.