Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does the Cisco CloudCenter Orchestrator vulnerability work?

Cisco's CloudCenter Orchestrator was found to have a privilege escalation vulnerability. Expert Matthew Pascucci explains how it works and what enterprises need to know about it.

A critical security bulletin was released for a vulnerability in Cisco CloudCenter Orchestrator that "causes the...

Docker Engine management port to be reachable outside of the Cloud Orchestrator system." What does this mean, and how does the vulnerability work?

This vulnerability gives an unauthenticated, remote attacker the ability to install Docker containers to the system, and could potentially allow him to attain escalated privileges, such as root. This was made possible by a misconfiguration that makes the Docker management port accessible to attackers, and allows them to submit Docker containers to the Cisco CloudCenter Orchestrator without an administrator's knowledge.

Docker is open source software that allows you to run multiple instances of an application on virtualized hardware, with the flexibility to have these containers moved into cloud platforms for high portability. These containers are typically more lightweight than a usual virtual machine, and will run under a host that's sharing similar libraries. The applications running in these containers can quickly be spun up or ported to hosts that support them. The concern with the recently disclosed vulnerability from Cisco means there could be additional containers or applications running in your CloudCenter Orchestrator that weren't configured by you, and which are being used for malicious purposes.

If an attacker is able to insert a container into the Cisco CloudCenter Orchestrator, he is also able to host malicious software on your infrastructure and use your hardware to perform whatever devious acts he can think of on your equipment. This could include hosting phishing sites, command-and-control sites or any other number of malicious uses.

The Cisco advisory also mentions that the containers are installed with high privileges, which means there's the possibility for additional compromise on the CloudCenter Orchestrator beyond installing bad Docker containers. Cisco states that there may be a secondary impact that allows the attacker to gain root privileges to the system. If your system is found to be vulnerable, or even exploited, your incident response plan needs to take action immediately.

According to Cisco, this vulnerability affects all releases of Cisco CloudCenter where the Docker Engine TCP port 2375 is open and bound to local address 0.0.0.0. There are no other Cisco products currently affected by this vulnerability at this time.

Cisco recommends running netstat –ant |grep 2375 to validate that the port is open and bound to 0.0.0.0. Another recommendation is to use the docker images command to see which running containers are currently installed on the Cisco CloudCenter Orchestrator. You can run the command docker ps –a to get a running list of all containers. You'll have to understand your environment after seeing the results to know which might have been inserted by an attacker.

There are other workarounds for those that might not have a support contract. The first is to restrict the Docker Engine port to bind to 127.0.0.1, instead of 0.0.0.0. The second is to use external firewall devices to filter access to the management port.

This is a security flaw that needs to be patched as soon as possible, and Cisco has released both a patch and an advisory for the vulnerability to assist with remediating the threat.

Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how hackers are using Twitter as command-and-control servers for malware

Read about the different use cases for bare-metal servers and virtual machines

Find out if virtual machine introspection can improve cloud security

This was last published in March 2017

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your organization handle privilege escalation vulnerabilities?
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close