CVE-2022-20921: Cisco ACI Multi-Site Orchestrator privilege escalation flaw
Cisco has addressed a high severity privilege escalation vulnerability found in the API implementation of the Cisco ACI Multi-Site Orchestrator (MSO).
Cisco Multi-Site Orchestrator offers multisite networking orchestration and policy management, disaster recovery, and high availability, as well as provisioning and health monitoring.
Cisco explained, “A vulnerability in the API implementation of Cisco ACI Multi-Site Orchestrator (MSO) could allow an authenticated, remote attacker to elevate privileges on an affected device.” The vulnerability (tracked as CVE-2022-20921 and CVSS score: 8.8) only impacts Cisco ACI MSO.
Unauthenticated attackers may elevate privileges remotely on affected devices by sending a crafted HTTP request to exploit the improper authorization bug affecting the CISCO ACI MSO API implementation. A successful exploit could allow an attacker who is authenticated with non-Administrator privileges to elevate to Administrator privileges on an affected device.
The Cisco Product Security Incident Response Team (PSIRT) says that it isn’t aware of any malicious use of the CVE-2022-20921 bug. However, PSIRT is aware that proof of concept is available for the vulnerability. That said, it’s recommended that users move quickly to apply the necessary updates to prevent potential real-world exploitation.
| Cisco ACI Multi-Site Orchestrator Software Release | First Fixed Release for This Vulnerability |
|---|---|
| Earlier than 2.2 | Not vulnerable |
| 2.2 | Not vulnerable |
| 3.01 | 3.0(3m) |
| 3.1 | Not vulnerable |
| 3.2 | Not vulnerable |
