Issue 47: Cisco and MuleSoft vulnerabilities, API World passes


This week we look into the recent API vulnerability in Cisco routers, how MuleSoft handled severe vulnerability in their API gateway, API security aspects of communication PaaS, and passes for upcoming API World conference in San Jose, CA.

Vulnerabilities: Cisco

Cisco has implemented their REST API as a virtual service container for IOS XE. This operating system is used on a variety of Cisco routers. It is not enabled by default but needs to be installed by administrators who need the REST API functionality.

Quoting Cisco on the details of the patched vulnerability:

“The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service. An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device.”

Vulnerabilities and Policies: MuleSoft

MuleSoft is an integration company recently acquired by Salesforce.com. Their platform allows customers to integrate various internal systems and expose them as APIs.

They had a severe flaw in their runtime and API gateway. Attackers were able to remotely push arbitrary files to the operating system and even get them executed. This is a critical vulnerability, especially to anyone who is using the system on-premises with access to critical internal systems.

ZDNet story covers not just the flaw but also the great job that the company did on handling the vulnerability and working with their customers to have it fixed. The company went great lengths to ensure that each of their on-premises customers installed the patch as quickly as possible.

This also demonstrates why API security products are complementary to API gateways and should be used side by side as the extra layer of security.

Communication APIs and Security

Communications platform-as-a-service (CPaaS) APIs such as Twilio can help developers give their users rich communication capabilities.

Channel Futures has a story of the API Security implications of using CPaaS:

  • Things to look for when picking CPaaS: API specification, authentication and authorization best practices, TLS
  • The differences in security approach for 3 main scenarios:
    • CPaaS invoking your endpoint
    • Your application invoking the CPaaS API
    • Your application using CPaaS code (e.g., SDK, iframe)
  • Affect on risk and threat surface

Conferences: API World

API World is one of the biggest API conferences. More than 3,500 attendees are expected to come to San Jose October 8-10, 2019 to attend it.

Security is becoming a part of the agenda this year too.

If you do not have a pass yet, 42Crunch is giving away some free passes on their website.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy