Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Cisco CloudCenter Orchestrator Flaw Exploited in Attacks

Cisco has warned customers about a critical privilege escalation vulnerability that has been exploited against Cisco CloudCenter Orchestrator (CCO) systems.

Cisco has warned customers about a critical privilege escalation vulnerability that has been exploited against Cisco CloudCenter Orchestrator (CCO) systems.

Cisco CloudCenter is a hybrid cloud management platform with two primary components: CloudCenter Manager, the interface utilized by users and administrators, and CloudCenter Orchestrator, which automates application deployment and infrastructure provisioning and configuration. CCO was previously a product of CliQr Technologies, which Cisco acquired earlier this year.

According to Cisco, an unauthenticated attacker can remotely install malicious Docker containers with high privileges by exploiting a flaw (CVE-2016-9223) in the Docker Engine configuration.

The security hole, discovered during the resolution of support cases, exists due to a misconfiguration that makes the Docker Engine management port reachable from the outside. An attacker can exploit this weakness to load Docker containers with arbitrary privileges, including root, on the affected CCO system.

A CCO installation is vulnerable if TCP port 2375 is open and bound to the 0.0.0.0 local IP address, which is the default configuration. Users can check if they are affected by using the netstat -ant | grep 2375 command.

Cisco’s Product Security Incident Response Team (PSIRT) said it was aware of a limited number of cases where this vulnerability had been exploited publicly. Organizations can check if their installations have been compromised by using the docker images command and checking the list of containers for anything suspicious.

“Because this vulnerability may allow access to the Cisco CCO software with root privileges, additional indicator of compromise may be present depending on the goal of the malicious actor,” Cisco said.

The vulnerability has been addressed with the release of CCO 4.6.2. As a workaround, users can restrict the Docker Engine port to the localhost IP address 127.0.0.1. Cisco has provided detailed instructions for this operation in its advisory.

Advertisement. Scroll to continue reading.

While a majority of the severe vulnerabilities found in Cisco products have apparently not been exploited in attacks, exploits targeting the networking giant’s software can be highly useful to threat actors. The company recently learned that the NSA-linked actor known as the Equation Group had several exploits targeting its products, including ones relying on previously unknown vulnerabilities.

Related: Flaws in Cisco Cloud Services Platform Allow Command Execution

Related: Cisco Patches 9 Flaws in Email Security Appliance

Related: Cisco Resets Passwords on Careers Portal

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...