Cisco Systems released patches to fix a serious security problem in its Nexus 9000 Series Switches that may be exploited to read or write files on a susceptible system through the Application Policy Infrastructure Controller (APIC) interface.
The vulnerability (which is identified as CVE-2021-1577 and has a CVSS score of 9.1) stems from improper access control and enables a remote attacker to upload a file to the appliances. The company issued a warning that stated an attacker may access or modify data on a vulnerable device.
The APIC appliance is a centralized controller that automatically configures and controls networks depending on application needs and rules, regardless of real or virtual environments.
Cisco identified the vulnerability during its internal security testing, which was conducted by the Cisco Advanced Security Initiatives Group (ASIG). As per the available information, Cisco APIC and Cisco Cloud APIC are vulnerable to the detected flaw.
The flaw was discovered as part of the company’s research into its product line. According to the advisory that was published on Wednesday, an audit of Cisco’s product line was performed to find which of its products were vulnerable to this bug. After the investigation was completed, the company came with a conclusion that there are no known impacted products.
The Fixed Software section of the advisory includes details on which Cisco software versions are affected by the vulnerability, as well as ways to avoid or mitigate it.
According to the Cisco Product Security Incident Response Team (PSIRT), there are no public disclosures or known cases of malicious usage for the vulnerability mentioned in the advisory,
In relation to the discovery, the company has provided free software upgrades addressing the vulnerability mentioned in the advisory. Only customers who have bought licenses for their software versions and feature sets may install the fixes and expect support from Cisco’s support them.