Cisco Systems has released emergency patches for two critical vulnerabilities in its Data Center Network Manager, which could allow attackers to take control of impacted systems.
The Data Center Network Manager (DCNM) is Cisco’s network management platform for switches running on its network operating system (NX-OS), including Cisco Nexus Series switches. Overall, the networking giant patched four flaws that existed in the software on this platform: two critical, one high-severity and one medium-severity.
The platform’s web-based management interface has two critical vulnerabilities (CVE-2019-1620 and CVE-2019-1619) which both rank 9.8 out of 10 on the CVSS scale. Cisco said that it has not spotted any active exploits of the vulnerabilities in the wild.
One of these (CVE-2019-1620) is an arbitrary file upload vulnerability that could enable remote code execution on impacted devices. The vulnerability stems from incorrect permission settings in the DCNM software. This error means that an unauthenticated, remote attacker would be able to send specially crafted data to a specific web servlet that is available on affected devices, thus creating arbitrary files on the underlying DCNM filesystem. A web servlet is a class that responds to a particular type of network request (generally an HTTP request).
“An attacker could exploit this vulnerability by uploading specially crafted data to the affected device,” Cisco said in its advisory. “A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device.”
Impacted is DCNM software releases prior to Release 11.2(1); Cisco said that it has removed the affected web servlet from the Release 11.2(1).
The other critical vulnerability (CVE-2019-1619) is an authentication bypass flaw in the DCNM management interface, that could allow an unauthenticated, remote attacker to “bypass authentication and execute arbitrary actions with administrative privileges on an affected device,” Cisco said.
This flaw exists because of improper session management on DCNM software versions prior to Release 11.1(1).
This means an attacker could obtain a valid session cookie without knowing the administrative user password, by sending a specially crafted HTTP request to a specific web servlet that is available on impacted devices. Once the attacker does that, he could gain administrative access and take over the device.
Cisco said that it removed the affected web servlet completely in DCNM Software Release 11.1(1) and urged users to update to that version.
Security researcher Pedro Ribeiro was credited with reporting both critical vulnerabilities to iDefense’s Vulnerability Contributor Program, a bug bounty program.
Also patched was a high-severity flaw (CVE-2019-1621) in DCNM that exists from incorrect permissions settings and could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device; and a medium-severity vulnerability (CVE-2019-1622) that is due to improper access controls for certain URLs on DCNM software and could allow a remote attacker to retrieve sensitive data from victims.
Cisco has dealt with a slew of vulnerabilities so far this month: Including a critical vulnerability in its Digital Network Architecture (DNA) Center, which could allow an unauthenticated attacker to access critical internal services; and a high-severity vulnerability in its software for routers and switches, which could enable a remote attacker to reconfigure or execute commands on impacted devices.