Cisco finally fixed Elastic Services Controller Service 3.0 Portal Authentication Bypass Vulnerability (CVE-2018-0121) – 8th Feb 2019

Preface: It was because of new version 4.0 introduced on Jan 2018. Cisco urge customers upgrade to 4.0 to do the remediation. The Elastic Services Controller Service Portal Authentication Bypass Vulnerability finally fixed on Feb 2019.

Product background: Cisco ESC provides a single point of control to manage all aspects of VNF lifecycle for generic Virtual Network Functions (VNFs) in a dynamic environment. ESC brings advanced capabilities like VM and Service monitoring, auto-recovery and dynamic scaling.

Speculate the technical weakness on similar design function: Perhaps the problem given by Vulnerabilities of using a REST API token based authentication! So the official announcement state that vulnerability is due to improper security restrictions that are imposed by the web-based service portal of the affected software.

Official announcements: