Cisco Fixes Command Injection Flaw
Monday, February 29, 2016 @ 05:02 PM gHale
Cisco released software updates for its ACE 4710 appliance to address a high severity command injection vulnerability.
The Cisco ACE 4710 Application Control Engine appliance enhances application availability and performance, and helps organizations secure their data center and critical applications against attacks.
The company is no longer selling the solution since January 2014, but remains supported until January 31, 2019.
An advisory published by the company last week, the product’s Device Manager GUI is plagued by an insufficient user input validation vulnerability that can be exploited by a remote, authenticated attacker to execute any command-line interface commands with administrator privileges.
The vulnerability can end up be exploited by sending a specially crafted HTTP POST request with commands injected into the value of the POST parameter. An attacker can leverage the flaw to bypass role-based access control (RBAC) restrictions, Cisco said.
The vulnerability affects appliances running A5 software versions up to A5(3.0) if access to the Device Manager GUI is allowed. Cisco patched the flaw with the release of versions A5(3.3), A5(3.2), A5(3.1b), A5(3.1a) and A5(3.1).
Customers who cannot immediately apply the patch can protect themselves against potential attacks by disabling access to the Device Manager GUI.
The vulnerability was reported to Cisco by Jan Kadijk of Warpnet BV. Cisco said to date the flaw has not undergone exploitation.