Fri. Jun 5th, 2020

Cisco Patches Critical Flaw in Data Center Network Manager

Cisco has released patches to fix a flaw in its Data Center Network Monitor (DCNM) software, which could allow hackers to remotely take over affected devices.


Overall, the tech giant patched four security bugs: two critical, one-high severity, and one medium severity. All of the vulnerabilities are in the web management console. Additionally, two of the critical vulnerabilities (CVE-2019-1620 and CVE-2019-1619) rank 9.8 out of 10 on the CVSS scale.


The vulnerability (CVE-2019-1620) is an arbitrary file upload vulnerability that exists in DCMN versions prior to 11.2(1). The vulnerability stems from incorrect permission settings in the web-based interface of the network management platform. If exploited, a threat actor can upload malicious files on an affected system.


In its advisory, Cisco warns that “an attacker may achieve creation of arbitrary files on the underlying DCNM filesystem by sending specially crafted data to a specific web servlet that is available on affected devices.”


The second critical vulnerability, CVE-2019-1619, is an authentication bypass flaw that Cisco says could allow an unauthenticated, remote attacker to “bypass authentication and execute arbitrary actions with administrative privileges on an affected device.”


This flaw exists because of improper session management on DCNM software versions prior to Release 11.1(1). However, Cisco said that it removed the affected web servlet completely in DCNM Software Release 11.1(1) and urged users to update to that version.


The other two vulnerabilities, CVE-2019-1621 and CVE-2019-1622 are less severe, but they can still cause an extensive amount of damage. According to Cisco if a threat actor exploited CVE-2019-1621, which has a high-severity score of 7.5, they could “use a specific web servlet that is available on affected DCNM devices to download arbitrary files from the underlying filesystem” by requesting specific URLs.”


Independent security researcher, Pedro Ribeiro, was credited for discovering the flaws and reporting it to Accenture’s iDefense Vulnerability Contributor Program — a bug bounty program.