Guest

Preview Tool

Cisco Bug: CSCut12998 - Cisco APIC Access Control Vulnerability

Last Modified

Aug 06, 2018

Products (1)

  • Cisco Application Policy Infrastructure Controller (APIC)

Known Affected Releases

1.0(3f) 1.1(0.699a)

Description (partial)

Symptom:
A vulnerability in the role-based access control (RBAC) of the Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated 
remote user to make configuration changes outside of their configured access privileges.  

Full advisory details are posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-apic


Conditions:

The vulnerability is due to eligibility logic in the RBAC processing code. An authenticated user could exploit this vulnerability by sending specially 
crafted representational state transfer (REST) requests to the APIC. An exploit could allow the authenticated user to make configuration changes to 
the APIC beyond the configured privilege for their role.

The following products are known to be affected by this vulnerability when running affected versions of software: 
Cisco Application Policy Infrastructure Controllers when running software versions prior to 1.0(3h) and 1.1(1j)
Cisco Nexus 9000 Series ACI Mode Switches when running software versions prior to 11.0(3h) and 11.1(1j)

This vulnerability affects configurations that are using either signature-based transactions or username/password configurations.

Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.