Network equipment manufacturer Cisco has released security updates for a number of products. The only critical vulnerability that was closed concerns the Cisco Application Policy Infrastructure Controller (APIC) as well as its cloud counterpart as the heart of Cisco’s Application Centric Infrastructure (ACI).
A remote, unauthenticated attacker could abuse the vulnerability in an API endpoint (CVE-2021-1577, CVSS score 9.1) by uploading a specially prepared file for read and write file access. Updates are available; There are no workarounds.
Safety instructions with “high” marking
Two more freshly published safety notices target APIC – besides Nexus 9000 switches and the Network software NX-OS. The risk rating is “high” in each case; possible consequences of a successful attack can be, depending on the vulnerability and product, the attacker gaining admin rights (in the case of APIC) or denial-of-service states (in the case of Nexus switches or NX-OS).
We have put together an overview of the advisories for high severity vulnerabilities here. In addition, Cisco has eliminated some security holes with “Medium” rating from other products. A list of all available advisories is provided by Cisco’s Security Center.
Blackberry advisory updated
In addition to the newly published advisory, there is also an updated advisory, namely the one on the critical vulnerability in the QNX real-time operating system from Blackberry, which attackers could use to attack embedded systems and, in the worst case, execute malicious code (CVE-2021-22156). According to the updated advisory for BlackBerry QNX, Cisco has completed the investigation of its own products and has not discovered any vulnerabilities via CVE-2021-22156 within its own portfolio.