A debugging tool left on in deployments of Cisco’s large-scale data center management software could be remotely accessed and allow an attacker to run code with root privileges.
Cisco made an update available that patches this and one other critical vulnerability in the same management software, the company said in an advisory published Wednesday.
Cisco said the vulnerability affects Cisco Prime Data Center Network Manager 10.1(1) and 10.1(2) for Windows, Linux and virtual appliance platforms.
The debugging tool in each version of the software lacked authentication and authorization mechanisms, Cisco said. The flaw lies in the role-based access control functionality of the management software.
“An attacker could exploit this vulnerability by remotely connecting to the debugging tool via TCP,” Cisco said in its advisory. “A successful exploit could allow the attacker to access sensitive information about the affected software or execute arbitrary code with root privileges on the affected system.”
The management software is used to oversee a number of Cisco Nexus switches and Cisco NX-OS and MDS SAN switches. Managers should ensure the software they’re running is version 10.2(1) or later.
The second critical vulnerability addressed is a hard-coded static credential that could be used by an attacker to log in to the management console. A default user account that is created upon installation of the software contains the default password, and by leveraging the credential, an attacker could gain root- or system-level privileges.
“A successful exploit could allow the attacker to use this default user account to log in to the affected software and gain access to the administrative console of a DCNM server,” Cisco said in its advisory.
All versions of Cisco Prime Data Center Network Manager prior to 10.2(1) are affected on Windows, Linux and virtual appliance platforms, Cisco said.
There are no workarounds, nor public exploits for either critical vulnerability, Cisco said.
Cisco also released patches on Wednesday for high-severity vulnerabilities in Cisco AnyConnect, the company’s mobile VPN product, and TelePresence Endpoint, the company’s teleconferencing and collaboration product.
The vulnerability in AnyConnect affects only the Windows version of the client, and allows a local, authenticated attacker to run an executable and elevate privileges to that of the Windows SYSTEM account. Cisco said DLL path and file names are not properly validated.
“An attacker could exploit this vulnerability by creating a malicious DLL file and installing it in a specific system directory,” Cisco said in its advisory. “A successful exploit could allow the attacker to execute commands on the underlying Microsoft Windows host with privileges equivalent to the SYSTEM account. The attacker would need valid user credentials to exploit this vulnerability.”
Versions of Cisco AnyConnect Secure Mobility Client for Windows prior to 4.4.02034 are affected. The iOS, Android and Windows Phone versions are not affected, nor are the clients for MacOS or Linux, Cisco Said.
The Telepresence vulnerability is in its implementation of the Session Initiation Protocol (SIP in the TelePresence Codec and Collaboration Endpoint. Remote attackers could exploit the flaw and cause the software to reload unexpectedly.
“The vulnerability is due to a lack of flow-control mechanisms within the software. An attacker could exploit this vulnerability by sending a flood of SIP INVITE packets to the affected device,” Cisco said in its advisory. “An exploit could allow the attacker to impact the availability of services and data of the device, including a complete DoS condition.”
Cisco said versions of TelePresence Codec prior to 7.3.8 and Collaboration Endpoint prior to 8.3.0 are affected. There is a long list of specific models within the MX, Profile, SX, MXP, DX, EX, and Integrator C series that are affected in Cisco’s advisory. Cisco added that the Cisco Spark Room series is not affected, and neither is TelePresence CE 9.0.1.