Cisco BPA, WSA Bugs Allow Remote Cyberattacks
Reading Time: 1 Minute
A set of high-severity privilege-escalation vulnerabilities affecting Business Process Automation (BPA) application and Cisco’s Web Security Appliance (WSA) and could allow authenticated, remote attackers to access sensitive data or take over a targeted system.
The first two bugs (CVE-2021-1574 and CVE-2021-1576) exist in the web-based management interface of the Cisco Business Process Automation (BPA), which is used to streamline various IT processes. Its functions include OS upgrades, device activation, compliance checks and server migration.
The flaws, which both rate 8.8 out of 10 on the CVSS vulnerability-severity scale, could allow an authenticated, remote attacker to elevate privileges to administrator-level. A successful exploit would involve sending crafted HTTP messages to an affected system.
“These vulnerabilities are due to improper authorization enforcement for specific features and for access to log files that contain confidential information,” according to Cisco’s Thursday advisory. Exploitation could result in an adversary “performing unauthorized actions with the privileges of an administrator, or by retrieving sensitive data from the logs and using it to impersonate a legitimate privileged user,” the company noted.
- For CVE-2021-1574, an attacker with valid user credentials could execute unauthorized commands;
- For CVE-2021-1576, an attacker with valid credentials could access the logging subsystem of an affected system and retrieve sensitive data. The system is vulnerable only while a legitimate user maintains an active session on the system, Cisco noted.
The vulnerabilities affect Cisco BPA releases earlier than Release 3.1.
See Also: Kaseya ransomware supply chain attack: What you need to know
Meanwhile, the third bug affects Cisco’s WSA appliance, which provides protection for those using a corporate network to access the web, by automatically blocking risky sites and testing unknown sites before allowing users to click on them.
The issue (CVE-2021-1359, with a CVSS score of 6.3 out of 10) exists in the configuration management of the Cisco AsyncOS operating system that powers the WSA. According to Cisco’s advisory, it could allow an authenticated, remote attacker to perform command injection and elevate privileges to root.
“This vulnerability is due to insufficient validation of user-supplied XML input for the web interface,” the networking giant explained. “An attacker could exploit this vulnerability by uploading crafted XML configuration files that contain scripting code to a vulnerable device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root.”
The bug rates high-severity rather than critical since any would-be attacker would need a valid user account with the rights to upload configuration files in order to exploit the bug – something that could be achieved via another exploit or phishing attack.
See Also: Offensive Security Tool: It Was All A Dream (Windows Print Spooler RCE)
Badly programmed APIs are an obvious attack vector and one of the most common threat vectors used to take advantage of poorly secured applications to get to data. They’re as common as dandelions in spring: When researcher Alissa Knight with Approov tried to break into the APIs of 30 different mHealth app vendors, she found that they were all vulnerable to one degree or another. Seventy-seven percent of them contained hardcoded API keys – some of which don’t expire – that would allow an attacker to intercept API exchange of information. Seven percent of those APIs belonged to third-party payment processors that explicitly warn against hard-coding their secret keys in plain text.
Knight also found that 100 percent of API endpoints tested were vulnerable to BOLA attacks, which allowed the researcher to view the personal health information and personally identifiable information (PII) for patients that weren’t assigned to the researcher’s account.
In his writeup, Silva confirmed that API access control issues are “one of the biggest security problems facing APIs.”
“As vulnerable APIs increasingly fall into adversaries’ sights, it’s critical that developers receive proper education on best practices for embedding security into their design from the get-go,” he said.
Checkmarx disclosed its findings to Coursera’s security team in October. By May 24, 2021, Coursera had resolved all the API issues, including a new one that Checkmarx found and reported in January.
See Also: Hacking Stories: Andrian Lamo – The ‘homeless’ Hacker
The issue affects both the virtual and hardware-based iterations of the appliances, in Releases 11.8 and earlier, 12.0 and 12.5.
These are just the latest patches that Cisco has issued; last month, it patched several high-severity security vulnerabilities in its Small Business 220 Series Smart Switches, which are intro-level networking gear for SMBs. The flaws could allow remote attacks designed to steal information, drop malware and disrupt operations, via session hijacking, arbitrary code execution, cross-site scripting (XSS) and HTML injection.
Source: threatpost.com
(Click Link)
Recent News
Glove Stealer Malware Evades Chrome’s App-Bound Encryption to Target Cookies
New RustyAttr Trojan Evades macOS Security Using Hidden Metadata
GoIssue: Sophisticated Phishing Tool Targets GitHub Developer Credentials
New Ymir Ransomware Launches In-Memory Attacks Post-RustyStealer Infections
North Korean Hackers Deploy MacOS Malware with Unseen Stealth to Hijack Crypto Firms
Winos4.0 Malware Framework Uses Gaming Apps to Infiltrate Windows Systems
CRON#TRAP Phishing Attack: A Linux VM Backdoor Hides Inside Windows Systems
New Interlock Ransomware Exploits FreeBSD servers, Demanding Huge Ransoms
New Version of iOS Spyware LightSpy Adds Device-Disabling Capabilities
Opera Browser ‘CrossBarking’ Vulnerability Could Enable Full Access to Private APIs
