The release 3.0.0 software from Cisco’s Elastic Services Controller has a dangerous vulnerability: it is capable to receive an empty admin password. The Controller (ESC) is Cisco’s automation environment for network function virtualization (NFV), providing VM and service monitors, automated recovery and dynamic scaling.
The advisory from CISCO’s about the vulnerability clarifies the flaw is in ESC’s Web service portal: “An attacker could exploit this vulnerability by submitting an empty password value to an affected portal when prompted to enter an administrative password for the portal.”
The cyberpunk has administrative rights to “execute arbitrary actions” on the target system when past the non-authentication. Simply ESC software announcement 3.0.0 is influenced, and the vulnerability has been fixed. The flaw has been allotted CVE-2018-0121.
The Borg’s updated flaw fest also incorporated a serious-rated flaw in Cisco’s Unified Communications Domain Manager that also contributes an effective cyberpunk distant code implementation privileges.
The bug arises all through the application generation on the controller: the means it creates are apprehensive, and cyberpunk could use “a known insecure key value to bypass security protections”. The flaw affects Unified Communications Domain Manager versions prior to 11.5(2).