Cisco ACE 4710 Application Control Engine Command Injection Vulnerability

A vulnerability in the Device Manager GUI of the Cisco ACE 4710 Application Control Engine could allow an authenticated, remote attacker to execute any command-line interface (CLI) command on the ACE with admin user privileges. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by crafting a malicious HTTP POST request with injected CLI commands inside the value of a POST parameter value. An exploit could allow the attacker to bypass the role-based access control (RBAC) restrictions enforced by the Cisco ACE Device Manager GUI. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160224-ace

Administrators can disable management access to the Cisco ACE 4710 Application Control Engine Device Manager GUI until the appropriate fix can be applied. The following example shows how to disable access, assuming the device is configured with the following management class map:

class-map type management match-any my-mgmt-class
202 match protocol icmp any
203 match protocol https any
204 match protocol ssh any

ace-4710-1/Admin# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

ace-4710-1/Admin(config)# class-map type management match-any my-mgmt-class
ace-4710-1/Admin(config-cmap-mgmt)# no match protocol https any