Cisco releases critical security updates for Data Center Network Manager (DCNM)

Cisco released security updates for Cisco Data Center Network Manager (DCNM), a platform for managing Cisco’s data center deployments, switches and fabric extenders that run NX-OS. A total of 12 vulnerabilities in DCNM were addressed in 6 advisories, one of which has been rated critical, three rated high and two rated medium in severity.

• CVE-2019-15975, CVE-2019-15976, CVE-2019-15977: Multiple vulnerabilities in Cisco DCNM could allow an unauthenticated remote attacker with administrative privileges to bypass authentication mechanisms and execute arbitrary actions on an affected device. The flaws exist in REST API(CVE-2019-15975) and SOAP API(CVE-2019-15976) endpoints due to a static encryption key is shared between installations. An attacker who uses the static key to craft a valid session token could perform arbitrary actions through REST and SOAP API with admin privileges in web-based management interface due to the presence of static credentials.
  CVE-2019-15977 is a flaw in the web-based management interface of Cisco DCNM due to the presence of static credentials. An attacker who exploits the bug using static credentials to authenticate against the user interface, could gain access to certain sections of the web interface and obtain confidential information.
  
  
• CVE-2019-15984, CVE-2019-15985: Multiple vulnerabilities exist in the REST and SOAP API endpoints of Cisco DCNM allow an authenticated remote attacker to execute arbitrary SQL commands. These flaws exist due to insufficient validation of user-supplied input to the API. An unauthorized attacker who sends a crafted request to the API can view sensitive information, make changes to the system, or execute commands within the underlying operating system which affects the availability of the device.
  
  
• CVE-2019-15980, CVE-2019-15981, CVE-2019-15982: Multiple vulnerabilities exist in the REST and SOAP API endpoints of Cisco DCNM allow an authenticated remote attacker to conduct directory traversal attacks on an affected device. These flaws exist due to insufficient validation of user-supplied input to the API. An attacker who sends crafted request to the API could read, write, or execute arbitrary files in the system with full administrative privileges.
  
• CVE-2019-15978, CVE-2019-15979: Multiple vulnerabilities exist in the REST and SOAP API endpoints of Cisco DCNM allow an authenticated remote attacker with admin privileges to inject arbitrary commands on the underlying OS. These flaws exist due to insufficient validation of user-supplied input to the API. An attacker who sends crafted request to the API could execute arbitrary files in the system with full administrative privileges.
  
• 
  CVE-2019-15983 : A vulnerability in the SOAP API of Cisco DCNM allows an authenticated, remote attacker to gain read access to information stored on an affected system. The flaw exists due to improper handling of XML External Entity (XXE) entries in SOAP API when parsing certain XML files. An attacker who inserts malicious XML content in an API request could read arbitrary files from the device.
  
• 
  CVE-2019-15999 : A vulnerability in the application environment of Cisco DCNM could allow an authenticated remote attacker to gain unauthorized access to the JBoss Enterprise Application Platform (JBoss EAP). The flaw exists due to incorrect configuration of the authentication settings on JBoss EAP.
  

Affected Products

Cisco DCNM software before Release 11.3(1)

Impact

These vulnerabilities allow an attacker to bypass authentication mechanisms, inject SQL commands, traverse directories, gain unauthorized access and read sensitive data from the affected system.

Solution

Cisco has fixed these vulnerabilities in Cisco DCNM Software release 11.3(1). We strongly recommend upgrading Cisco DCNM to the latest version provided by the vendor.