Cisco CloudCenter Orchestrator Flaw Exploited in Attacks

Cisco has warned customers about a critical privilege escalation vulnerability that has been exploited against Cisco CloudCenter Orchestrator (CCO) systems.

Cisco CloudCenter is a hybrid cloud management platform with two primary components: CloudCenter Manager, the interface utilized by users and administrators, and CloudCenter Orchestrator, which automates application deployment and infrastructure provisioning and configuration. CCO was previously a product of CliQr Technologies, which Cisco acquired earlier this year.

According to Cisco, an unauthenticated attacker can remotely install malicious Docker containers with high privileges by exploiting a flaw (CVE-2016-9223) in the Docker Engine configuration.

The security hole, discovered during the resolution of support cases, exists due to a misconfiguration that makes the Docker Engine management port reachable from the outside. An attacker can exploit this weakness to load Docker containers with arbitrary privileges, including root, on the affected CCO system.

A CCO installation is vulnerable if TCP port 2375 is open and bound to the 0.0.0.0 local IP address, which is the default configuration. Users can check if they are affected by using the netstat -ant | grep 2375 command.

Cisco’s Product Security Incident Response Team (PSIRT) said it was aware of a limited number of cases where this vulnerability had been exploited publicly. Organizations can check if their installations have been compromised by using the docker images command and checking the list of containers for anything suspicious.

“Because this vulnerability may allow access to the Cisco CCO software with root privileges, additional indicator of compromise may be present depending on the goal of the malicious actor,” Cisco said.

The vulnerability has been addressed with the release of CCO 4.6.2. As a workaround, users can restrict the Docker Engine port to the localhost IP address 127.0.0.1. Cisco has provided detailed instructions for this operation in its advisory.

While a majority of the severe vulnerabilities found in Cisco products have apparently not been exploited in attacks, exploits targeting the networking giant’s software can be highly useful to threat actors. The company recently learned that the NSA-linked actor known as the Equation Group had several exploits targeting its products, including ones relying on previously unknown vulnerabilities.

Related: Flaws in Cisco Cloud Services Platform Allow Command Execution

Related: Cisco Patches 9 Flaws in Email Security Appliance

Related: Cisco Resets Passwords on Careers Portal