Cisco has recently rolled-out fixes for multiple vulnerabilities in its Data Center Network Manager (DCNM) software. These include a total of four security fixes for vulnerabilities with varying severity levels. Two of these included critical vulnerabilities that could let an attacker remotely access a target device.
Critical Vulnerabilities In Cisco DCNM Software
Recently, Cisco has addressed two critical security flaws in the Data Center Network Manager (DCNM) software. These vulnerabilities existed in the web-based management interface of the software. Exploiting these flaws could allow remote attacks on the system.
The first of these, CVE-2019-1619, is an authentication bypass vulnerability with a CVSS score of 9.8. Describing it in the advisory, Cisco stated,
The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.
Cisco fixed this vulnerability with the release of DCNM Software v.11.1(1) and later.
Whereas, the other one, CVE-2019-1620, is an arbitrary file upload and remote code execution flaw. This one too has a CVSS base score of 9.8. Regarding this vulnerability, Cisco stated in its advisory,
The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could exploit this vulnerability by uploading specially crafted data to the affected device. A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device.
The vendors patched the flaw with Cisco DCNM Software Release 11.2(1) and later.
Other Flaws In Data Center Network Manager
Apart from the above two critical vulnerabilities, Cisco also addresses two other security flaws in the software. These include a high-severity arbitrary file download vulnerability, CVE-2019-1621, that could allow remote attacker access and download sensitive files from the target system; and an information disclosure flaw of medium severity (CVE-2019-1622) allowing unauthenticated remote attacks.
The users of Cisco DCNM must ensure updating their devices to DCNM Software Release 11.2(1) and later to stay protected from potential risks. Cisco acknowledged the independent researcher Pedro Ribeiro for highlighting all these flaws.
Let us know your thoughts in the comments.