• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2021-1579- A Privilege Escalation Vulnerability In Cisco APIC
How to Fix CVE-2021-1579- A Privilege Escalation Vulnerability in Cisco APIC

Cisco has published advisory for one critical severity, one high severity vulnerability, and two medium severity vulnerabilities in Cisco APIC (Application Policy Infrastructure Controller). Successful exploitation of these vulnerabilities could allow attackers to take over the vulnerable Cisco appliances. The flaw CVE-2021-1579 with a base score of 8.8 is the second most high severity vulnerability among the four, allowing authenticated, remote attackers with Administrator read-only credentials to elevate privileges on an affected system. We recommend that all the Cisco and cloud APIC app owners read this post that tells how to fix CVE-2021-1579- A Privilege Escalation Vulnerability in Cisco APIC.

List Of Other Vulnerabilities Disclosed In Cisco APIC And Cloud APIC:

Four vulnerabilities uncovered in Cisco APIC and Cloud APIC are:

Summary of CVE-2021-1579: 

This is the second most high severity vulnerability of the four, with a CVSS score of 8.8. This vulnerability allows authenticated, remote attackers with Administrator read-only credentials to elevate privileges on an affected system. The flaw is due to an insufficient implementation of role-based access control (RBAC) in the Application Policy Infrastructure Controller (APIC). It affects both prim and cloud versions of APIC. This is an easily exploitable flaw. Attackers can exploit the flaw just by sending a specific API request using an app with admin write credentials.

Associated CVE IDCVE-2021-1579
DescriptionA Privilege Escalation Vulnerability in Cisco APIC
Associated ZDI ID
CVSS Score8.8 High
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Cisco Products Affected By CVE-2021-1579:

The flaw affects both on-prem and cloud versions of APIC devices if they have installed and enabled apps with admin write privileges. The vulnerability is said to be affected by the versions that are less than and equal to v5.1.

How To Identify The Cisco APIC Vulnerable To The Flaw?

To find the vulnerable APICs, you need to find embedded apps with admin write privileges on the APIC device. Follow these simple instructions to find the embedded apps installed with admin write privileges:

  1. Log in to the web UI and click on the Apps tab.
  2. Check the Permissions and Permission Level of the installed application by taking the mouse pointer over on the installed apps.
  3. If you see Permission is set to admin and Permission Level is set to Write, then your APIC is vulnerable to the flaw.

Easiest Workaround To Fix CVE-2021-1579- A Privilege Escalation Vulnerability In Cisco APIC:

If you can’t fix the vulnerability soon, you can disable or delete the app from APIC. Follow these simple steps to disable or delete the app from APIC.

  1. Log in to the web UI and click on the Apps tab.
  2. Check the Permissions and Permission Level of the installed application by taking the mouse pointer over on the installed apps.
  3. If you see Permission is set to admin and Permission Level is set to Write, then you should either disable or delete the app.
  4. Click on the icon that is a circle with a line to disable the app. Or, click the icon that is an X to delete the app. 

How To Fix CVE-2021-1579- A Privilege Escalation Vulnerability In Cisco APIC?

Cisco published the fixed version of APIC in its advisory. As per the advisory, version 5.2 and later are not vulnerable to the Arbitrary File Read and Write vulnerability. We recommend all the users of the affected devices update the Cisco APIC to the latest available version as Cisco has acknowledged the vulnerability by releasing the free software updates. Please refer to the below table that shows the required actions to take on the different versions of APIC.

Cisco APIC or Cisco Cloud APIC Software ReleaseFirst Fixed Release
Earlier than 3.2Migrate to a fixed release.
3.23.2(10e)
4.0Migrate to a fixed release.
4.1Migrate to a fixed release.
4.24.2(6h)
5.0Migrate to a fixed release.
5.15.1(3e)
5.2Not vulnerable.

How To Upgrade Cisco APSI?

You can refer to these online docs from Cisco to upgrade your APICs. The biggest concern most of the uses have is the upgradation path and the process. It’s tricky and hard to make the decision as to which version to upgrade. The code selection process can get even more complex if you have dependencies such as AVE (ACI Virtual Edge), AVS (ACI Virtual Switch, or the ACI MSO (Multi-Site Orchestrator).

To help users, Cisco has developed an online tool ‘Cisco APIC Software Upgrade/Downgrade Support Matrix‘. This tool helps you provide upgrade and downgrade information such as a recommended path to upgrade or downgrade, the procedure to upgrade or downgrade, caveats, recommended software release, software no longer supported, open bugs of the target, and current release. This feature makes it a unique and must-have tool for those who plan either upgrade or downgrade the APIC.

All you need to choose the from and to release that’s it. If you want to upgrade 5.2(4) from 4.0, select the from and to versions.

We hope this post will help you know How to Fix CVE-2021-1579- A Privilege Escalation Vulnerability in Cisco APIC. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.