A vulnerability ranked "critical" was found in the REST API of Cisco Elastic Services Controller (ESC), the networking giant revealed today.
The issue could allow an unauthenticated, remote attacker to bypass authentication on the REST API, potentially enabling an attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system.
According to Cisco, the vulnerability is due to "improper validation of API requests". An attacker could exploit this vulnerability by sending a crafted request to the REST API.
It affects Cisco Elastic Services Controller running software release 4.1, 4.2, 4.3, or 4.4 when the REST API is enabled. The 4.5 release is not vulnerable.
"The Cisco Product Security Incident Response Team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory," Cisco said in its advisory.
Cisco has issued software updates that address the problem but no workarounds available.
Cisco ESC is a Virtual Network Functions Manager (VNFM), which performs life-cycle management of virtual network functions.
Built as an open and a modular system, it provides a single point of control to manage all aspects of VNF life-cycle for generic VNFs in a dynamic environment.
Users can control the full life-cycle of all of their virtualised resources, whether using Cisco or third-party VNFs, allowing customers to choose industry solutions.