On January 2, Cisco published a series of advisories for Cisco Data Center Network Manager (DCNM), a platform for managing Cisco’s data center deployments equipped with Cisco’s NX-OS. Cisco patched a total of 12 vulnerabilities that included a trio of critical authentication bypass flaws. The Cisco DCNM software versions earlier than 11.3 (1) contained these vulnerabilities.
Out of the three, two authentication bypass vulnerabilities CVE-2019-15975 and CVE-2019-15976 were found in the REST API and SOAP API endpoints of the Cisco DCNM. The cause was found to be a static encryption key shared between installations. A remote, unauthenticated attacker could gain administrative privileges through either the REST API or SOAP API by sending a special request that included a valid session token generated using the static encryption key.
The third authentication bypass vulnerability, CVE-2019-15977, was found in the web-based management interface for Cisco DCNM due to the use of static credentials. A remote, unauthenticated attacker could use these static credentials to extract sensitive information from the vulnerable device, enabling them to perform additional attacks.
Utilizing these authentication bypass vulnerabilities, attackers could leverage the remaining flaws patched by Cisco. It includes command injection vulnerabilities (CVE-2019-15978, CVE-2019-15979), SQL injection vulnerabilities (CVE-2019-15984, CVE-2019-15985), path traversal vulnerabilities (CVE-2019-15980, CVE-15981, CVE-2019-15982) and an XML external entity vulnerability (CVE-2019-15983).
Eleven of the 12 vulnerabilities were reported by Steven Seeley of Source Incite. The vulnerabilities discovered come on the back of four other flaws reported back in June 2019 by security researcher Pedro Ribeiro, including CVE-2019-1619, an authentication bypass flaw in the DCNM’s web-based management interface. Additionally, Cisco patched CVE-2019-15999, a vulnerability in the DCNM’s JBoss Enterprise Application Platform (EAP). Misconfiguration of authentication settings on the EAP led to this flaw.
Similarly, in October 2019, Cisco had released patches for critical security vulnerabilities that existed in its Aironet Access Point Software. Security pros at Cisco stated that the vulnerabilities could lead bad actors to remote code execution.
Up on exploit, the vulnerabilities, named CVE-2019-15260, CVE-2019-15261, and CVE-2019-15264, could allow an attacker to gain access to view sensitive information, meddle with wireless network configurations, and cause a denial of service. However, Cisco was quick to release fixes for all the three high-severity flaws targeting its Access Point Software.