Connect with us

Hi, what are you looking for?


Cloud Security

Cisco CloudCenter Orchestrator Flaw Exploited in Attacks

Cisco has warned customers about a critical privilege escalation vulnerability that has been exploited against Cisco CloudCenter Orchestrator (CCO) systems.

Cisco has warned customers about a critical privilege escalation vulnerability that has been exploited against Cisco CloudCenter Orchestrator (CCO) systems.

Cisco CloudCenter is a hybrid cloud management platform with two primary components: CloudCenter Manager, the interface utilized by users and administrators, and CloudCenter Orchestrator, which automates application deployment and infrastructure provisioning and configuration. CCO was previously a product of CliQr Technologies, which Cisco acquired earlier this year.

According to Cisco, an unauthenticated attacker can remotely install malicious Docker containers with high privileges by exploiting a flaw (CVE-2016-9223) in the Docker Engine configuration.

The security hole, discovered during the resolution of support cases, exists due to a misconfiguration that makes the Docker Engine management port reachable from the outside. An attacker can exploit this weakness to load Docker containers with arbitrary privileges, including root, on the affected CCO system.

A CCO installation is vulnerable if TCP port 2375 is open and bound to the local IP address, which is the default configuration. Users can check if they are affected by using the netstat -ant | grep 2375 command.

Cisco’s Product Security Incident Response Team (PSIRT) said it was aware of a limited number of cases where this vulnerability had been exploited publicly. Organizations can check if their installations have been compromised by using the docker images command and checking the list of containers for anything suspicious.

“Because this vulnerability may allow access to the Cisco CCO software with root privileges, additional indicator of compromise may be present depending on the goal of the malicious actor,” Cisco said.

Advertisement. Scroll to continue reading.

The vulnerability has been addressed with the release of CCO 4.6.2. As a workaround, users can restrict the Docker Engine port to the localhost IP address Cisco has provided detailed instructions for this operation in its advisory.

While a majority of the severe vulnerabilities found in Cisco products have apparently not been exploited in attacks, exploits targeting the networking giant’s software can be highly useful to threat actors. The company recently learned that the NSA-linked actor known as the Equation Group had several exploits targeting its products, including ones relying on previously unknown vulnerabilities.

Related: Flaws in Cisco Cloud Services Platform Allow Command Execution

Related: Cisco Patches 9 Flaws in Email Security Appliance

Related: Cisco Resets Passwords on Careers Portal

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.