Cisco Systems patched three bugs on Wednesday that are rated critical, tied to its Digital Network Architecture (DNA) Center platform.
Cisco also warned of four additional vulnerabilities – each rated high. All of the vulnerabilities have available patches for mitigation.
All three of the critical vulnerabilities received a Common Vulnerability Scoring System rating of 10, the highest possible warning. Each could allow an unauthenticated and remote attacker to bypass Cisco’s authentication checks and attack core functions of the DNA platform, which was introduced in 2016. DNA has been touted as a move away from the company’s hardware-centric business towards one more reliant on software and services; it’s an open, software-driven architecture focused on automation, virtualization, analytics and managed services.
One of the critical bugs (CVE-2018-0271) “could allow an unauthenticated, remote attacker to bypass authentication and access critical services,” according to Cisco. “The vulnerability is due to a failure to normalize URLs prior to servicing requests. An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue. A successful exploit could allow the attacker to gain unauthenticated access to critical services, resulting in elevated privileges in DNA Center.”
A second critical vulnerability (CVE-2018-0222) could allow an unauthenticated, remote attacker to log in Cisco’s DNA services using an administrative account that has default and static user credentials.
“The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software,” Cisco wrote. “A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands with root privileges.”
Lastly, Cisco is warning of a critical, unauthorized access flaw (CVE-2018-0268) that could allow a successful adversary to completely compromise of a targeted Kubernetes container management subsystem within DNA Center.
As for the vulnerabilities rated high, these include a Linux shell access vulnerability (CVE-2018-0279) tied to Cisco’s network function virtualization infrastructure software; a cross-site forgery bug (CVE-2018-0270) in its IoT Field Network Director platform; a certificate validation bug (CVE-2018-0277) used in the company’s Identity Services Engine; and a denial of service vulnerability (CVE-2018-0280) related to the Cisco Meeting Server.
Cisco credits its own security team for finding the bugs.
“NCCIC encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates,” wrote the United States National Cybersecurity and Communications Integration Center, in an alert released Wednesday regarding the bugs.