Proof-of-concept exploit code has been published for critical flaws impacting the Cisco Data Center Network Manager (DCNM) tool for managing network platforms and switches.
The three critical vulnerabilities in question (CVE-2019-15975, CVE-2019-15976, CVE-2019-15977) impact DCNM, a platform for managing Cisco data centers that run Cisco’s NX-OS — the network operating system used by Cisco’s Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches.
The flaws, patched on Jan. 3, could allow an unauthenticated, remote attacker to bypass endpoint authentication and execute arbitrary actions with administrative privileges on targeted devices.
Fast forward to this week, the security researcher who initially discovered the flaws, Steven Seeley, released public PoC exploits for the flaws.
“In this post, I share three (3) full exploitation chains and multiple primitives that can be used to compromise different installations and setups of the Cisco DCNM product to achieve unauthenticated remote code execution as SYSTEM/root,” he explained in a blog post.
“In the third chain, I (ab)use the java.lang.InheritableThreadLocal class to perform a shallow copy to gain access to a valid session.”
Two of the flaws (CVE-2019-15975 and CVE-2019-15976) are authentication bypass vulnerabilities in the REST API and SOAP API endpoints for Cisco DCNM. Representational State Transfer (REST) is an architecture style for designing networked applications, according to RestFulApi.net; while Simple Object Access Protocol (SOAP) is a standard communication protocol system that allows processes using different operating systems (like Linux and Windows) to communicate via HTTP and its XML, according to a DZone description. The flaw stems specifically from the existence of a static encryption key shared between REST API and SOAP API installations.
The third bug (CVE-2019-15976) is described by Cisco as “data center network manager authentication bypass vulnerability.” This flaw exists in the web-based management interface of the DCNM, allowing an unauthenticated, remote attacker to bypass authentication on an affected device.
Seeley said he was able to exploit the flaw by targeting two different setups of DCNM “because some code paths and exploitation techniques were platform specific.” Those two were the Cisco DCNM installer for Windows and DCNM ISO Virtual Appliance for VMWare servers (both were DCNM version 11.2, released June 18, 2019).
I'm excited to share my post about discovering & exploiting multiple critical vulnerabilities in Cisco's DCNM.
Busting Cisco's Beans :: Hardcoding Your Way to Hell https://t.co/EkwwJ2u195
— ϻг_ϻε (@steventseeley) January 14, 2020
Seeley said that he was able to control all the elements to forge his own token and then use a hardcoded key to generate a Single Sign-On Token (ssoToken), which allowed him to bypass authentication.
From there, he could “send a SOAP request to the /DbAdminWSService/DbAdminWS endpoint and add a global admin user that will give us access to all interfaces,” he said.
With the PoC exploit code now available, Cisco is urging customers to update. The networking giant released software updates patching the vulnerabilities earlier this month,
“The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory,” according to Cisco’s advisory, which was updated on Wednesday.
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.