Anybody using Cisco Systems' Data Center Network Manager needs to apply software updates Cisco released Thursday to address serious multiple authentication vulnerabilities. The company said there were no workarounds, which means operators can't safely put updating on hold until their next scheduled patch day or until they're certain the new software won't create new problems.
The vulnerabilities affect all versions of DCNM earlier than 11.3(1) for Windows, Linux, and virtual appliance platforms.
DCNM is the management system for Cisco's Unified Fabric. It provides a dashboard for data center operators to provision, monitor, and troubleshoot network infrastructure.
The updated software aims primarily at fixing three vulnerabilities that carry a 9.8 rating on the 10-point Common Vulnerability Scoring System scale. These security holes could be used by remote attackers to bypass authentication and gain administrative privileges on affected systems.
The vulnerabilities are not dependent on one another, Cisco said, meaning an attacker doesn't have to take advantage of one vulnerability before being able to exploit another. In addition, one DCNM software release affected by one of the vulnerabilities is not necessarily affected by others.
Drilling Into the Vulnerabilities
Although the three vulnerabilities are are not connected to one another, they can all be used by unauthenticated remote attackers to bypass authentication. Two of the three are due to a static encryption key that is shared between installations:
- CVE-2019-15975 affects the REST API endpoint. According to Cisco, "An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges."
- CVE-2019-15976 affects the SOAP API endpoint. Cisco said that this one could be exploited "by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the SOAP API with administrative privileges."
- CVE-2019-15977 is a vulnerability in DCNM's web-based management interface. Unlike the other two, which involved static encryption keys, this one is due to static credentials that can be exploited to gain privileged access to the user interface. According to Cisco, "A successful exploit could allow the attacker to access a specific section of the web interface and obtain certain confidential information from an affected device. This information could be used to conduct further attacks against the system."
The good news for administrators is that, according to Cisco, the vendor has seen no evidence that these vulnerabilities are being actively exploited.
The software fixes also include remedies for seven additional DCNM vulnerabilities involving REST and SOAP APIs, which, Cisco said, are less severe. Access to the updated software and information on its installation is available on Cisco's website.