A set of high-severity privilege-escalation vulnerabilities affecting BPA application and WSA could allow authenticated, remote attackers to access sensitive data or take over a targeted system sending crafter HTTP messages.

The first two bugs (CVE-2021-1574 and CVE-2021-1576) with CVSS 8.8 exist in the web-based management interface of the Cisco BPA which is used to streamline various IT processes. Its functions include OS upgrades, device activation, compliance checks and server migration.

  • CVE-2021-1574, an attacker with valid user credentials could execute unauthorized commands;
  • CVE-2021-1576, an attacker with valid credentials could access the logging subsystem of an affected system and retrieve sensitive data. The system is vulnerable only while a legitimate user maintains an active session on the system.

The third bug affects Cisco’s WSA appliance, which provides protection for those using a corporate network to access the web, by automatically blocking risky sites and testing unknown sites before allowing users to click on them.

The issue CVE-2021-1359, with a CVSS score of 6.3 exists in the configuration management of the Cisco AsyncOS operating system that powers the WSA could allow an authenticated, remote attacker to perform command injection and elevate privileges to root.

This vulnerability is due to insufficient validation of user-supplied XML input for the web interface.“An attacker could exploit this vulnerability by uploading crafted XML configuration files that contain scripting code to a vulnerable device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root.”

The bug rates high-severity rather than critical since any would-be attacker would need a valid user account with the rights to upload configuration files in order to exploit the bug – something that could be achieved via another exploit or phishing attack.