Cisco has disclosed a dozen bugs affecting its Data Center Network Manager (DCNM) software, including three critical authentication-bypass bugs that expose enterprise customers to remote attacks.
Cisco warns that a remote attacker can bypass DCNM’s authentication and carry out tasks with administrative privileges on an affected device.
The available updates are highly important for enterprise data centers built with its Nexus NX-OS-based switches. DCNM is a key component for automating NX-OS-based network infrastructure deployments.
Cisco points to three separate authentication bypass vulnerabilities in a single advisory. They’re tagged as CVE-2019-15975, CVE-2019-15975, and CVE-2019-15977 and the trio have a severity rating of 9.8 out of a possible 10, meaning they are firmly critical security issues.
The bugs “could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device”, Cisco said.
Despite the common advisory, Cisco explains the vulnerabilities are independent of each other and that exploitation of one isn’t required to exploit another.
The first bug is due to a static encryption key that’s shared between installations. The issue resides in the REST API endpoint of DCNM. It allows an attacker to use the static key to generate a valid session token and potentially carry out actions at will through the REST API with administrative privileges.
The second bug stems from the same problem. However, it lies in the SOAP API endpoint of DCNM. “A successful exploit could allow the attacker to perform arbitrary actions through the SOAP API with administrative privileges,” Cisco warned.
The third bug is because Cisco added hard-coded credentials for the web-based user interface, which could allow an attacker to access a section of the web interface and obtain confidential information from an affected device.
Cisco says it fixed these vulnerabilities in Cisco DCNM Software releases 11.3(1) and later on Windows, Linux, and virtual appliance platforms.
The bugs were reported by Steven Seeley via Trend Micro’s Zero Day Initiative and iDefense, Accenture.
Seeley’s advice to customers is to patch DCNM now and if that’s not possible, uninstall the software.
Seeley also found three high-severity bugs in the REST and SOAP API endpoints and the Application Framework feature of DCNM. The bugs could allow an authenticated remote attacker to conduct directory traversal attacks on an affected device,.
The bugs affect Cisco DCNM prior to Release 11.3(1) for Windows, Linux, and virtual appliance platforms. All three bugs were due to insufficient validation of user-supplied input to the respective interfaces.
Two extra bugs he found in DCNM included a high-severity command-injection flaw in DCNM REST and SOAP API endpoints and a medium-severity issue in DCNM.