Cisco Bug: CSCut12998 - Cisco APIC Access Control Vulnerability
Jan 31, 2017
- Cisco Application Policy Infrastructure Controller (APIC)
Known Affected Releases
Symptom: A vulnerability in the role-based access control (RBAC) of the Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated remote user to make configuration changes outside of their configured access privileges. Full advisory details are posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-apic Conditions: The vulnerability is due to eligibility logic in the RBAC processing code. An authenticated user could exploit this vulnerability by sending specially crafted representational state transfer (REST) requests to the APIC. An exploit could allow the authenticated user to make configuration changes to the APIC beyond the configured privilege for their role. The following products are known to be affected by this vulnerability when running affected versions of software: Cisco Application Policy Infrastructure Controllers when running software versions prior to 1.0(3h) and 1.1(1j) Cisco Nexus 9000 Series ACI Mode Switches when running software versions prior to 11.0(3h) and 11.1(1j) This vulnerability affects configurations that are using either signature-based transactions or username/password configurations.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases