A newly discovered vulnerability (CVE-2023-20230) has been found in the restricted security domain implementation of Cisco's Application Policy Infrastructure Controller (APIC) affecting multi-tenancy (the ability for multiple users to share a common environment). This vulnerability could potentially allow an authenticated remote attacker to access and manipulate non-tenant policies (e.g., access policies) on an affected system. In this post, we will go deeper into the details of the vulnerability, provide a code snippet, and share the original references.
Vulnerability Details
This vulnerability is due to improper access control when restricted security domains are used to implement multi-tenancy for policies outside the tenant boundaries. An attacker with a valid user account associated with a restricted security domain could exploit this vulnerability. If the attacker is successful in exploiting the system, they would be able to read, modify or delete policies created by users associated with a different security domain. However, it is important to note that exploitation is not possible for policies under tenants that an attacker has no authorization to access.
The vulnerability affects Cisco APIC only when configured for multi-tenancy with restricted security domains. The following versions of Cisco APIC are known to be affected:
Code Snippet
The example snippet below demonstrates a simplified version of how the vulnerability may be exploited. Note that this is only to help you understand the issue and should not be used for malicious purposes.
# Attacker with access to restricted security domain
attacker_user = 'attacker@restricted-domain.com'
attacker_password = 'attacker_password'
# Exploit function
def exploit_cve_2023_20230(user, password):
# Access the restricted security domain using attacker's credentials
system_access = get_access_to(user, password)
if system_access:
# List policies outside the tenant boundaries
non_tenant_policies = list_policies(outside_tenant=True)
# Manipulate these policies
for policy in non_tenant_policies:
read_policy(policy)
modify_policy(policy)
delete_policy(policy)
# Exploit the vulnerable system
exploit_cve_2023_20230(attacker_user, attacker_password)
Original References and Exploit Details
The original references for this vulnerability (CVE-2023-20230) and further details can be found in the following sources:
1. Cisco Security Advisory: cisco-sa-20191106-apic-multi-rsd
2. National Vulnerability Database (NVD): CVE-2023-20230
Recommendations
Cisco has released a software update to address this vulnerability. Users of affected software versions are advised to upgrade to the latest version:
Version 4.2(5) and later 4.2(x) or 4.x releases
In addition to upgrading to the latest software version, users should also implement strong authentication and access controls for their Cisco APIC deployments to minimize the risk of unauthorized access.
Conclusion
In summary, CVE-2023-20230 is a vulnerability in the restricted security domain implementation of Cisco APIC that could allow an authenticated, remote attacker to exploit multi-tenancy and manipulate non-tenant policies. Affected users are advised to follow the recommendations provided and keep their software up-to-date to ensure the security of their systems.
Timeline
Published on: 08/23/2023 19:15:00 UTC
Last modified on: 08/31/2023 14:59:00 UTC