Cisco: Two critical bugs in DNA network software need these urgent patches

Cisco reveals patches for three critical flaws and 33 more high- and medium-severity bugs.
Written by Liam Tung, Contributing Writer

Cisco has plugged two severe vulnerabilities affecting its Digital Network Architecture (DNA) Center software.

Appliances running Cisco's DNA Center software before Release 1.1.4 are vulnerable to an authentication bypass that could allow a remote attacker to "take complete control" of its identity management functions.

Network admins can use the DNA Center interface to add new devices to the network and manage them based on enterprise policies. DNA Center is part of Cisco's toolkit for internet-based networking.

Lax security restrictions on key DNA management functions mean an attacker could send a valid identity management request to an affected system and then change existing system users or create new users, according to Cisco.

The flaw, which is tracked as CVE-2018-0448, is rated critical and has a Common Vulnerability Scoring System (CVSS) v 3.0 rating of 9.8 out of 10.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

It's fixed in release 1.1.4 and later and since there are no workarounds, admins will need to update to these releases to fix the bug.

Admins can check which release they're running by logging into the DNA user interface via a browser and then clicking on settings and About DNA Center.

Admins should have already updated to DNA Center release 1.1.4 based on an earlier advisory about undocumented, hardcoded credentials for the default admin account in release 1.1.3.

Cisco also fixed another critical DNA Center flaw, CVE-2018-15386, which could give a remote attacker direct access to core management functions.

An attacker could exploit the bug by directly connecting to exposed DNA Center services and from there obtain or change critical system files.

This bug is due to insecure default configurations affecting DNA Center release 1.1 Again, there are no workarounds for the bug, so admins will need to update to release 1.2 and later.

Both flaws were found during internal testing. Cisco is not aware of any exploits in the wild for the flaws.

Cisco has also fixed a critical flaw affecting Cisco Prime Infrastructure (PI) that could let a remote attacker upload any file they wish without requiring authentication. The file could be used to execute commands.

On PI, Trivial File Transfer Protocol (TFTP) is enabled by default and accessible from the web interface, which an attacker could use to upload a malicious file.

Customers should check Cisco's advisory to determine whether they're running a fixed release. It also has workarounds for some releases.

The flaw was reported by independent security researcher Pedro Ribeiro through Beyond Security's SecuriTeam Secure Disclosure program.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Beyond Security notes in its detailed report about the PI issue that Ribeiro identified two flaws but only one was fixed in Cisco's patch.

"The first vulnerability is a file-upload vulnerability that allows the attacker to upload and execute JSP files as the Apache Tomcat user," the company notes.

"The second vulnerability is a privilege escalation to root by bypassing execution restrictions in a SUID binary.

"From our assessment the provided fix only addresses the file uploading part of the exploit, not the file inclusion, the ability to execute arbitrary code through it or the privileges escalation issue that the product has."

Cisco also released patches for 33 more high- and medium-severity flaws affecting WebEx, SD-WAN products, and its ASA security appliances.

Previous and related coverage

Cisco DoS warning: Patch these 13 high-severity holes in IOS, IOS XE now

Cisco has fixes in its September bundle for over a dozen denial-of-service security flaws.

Cisco: Linux kernel FragmentSmack bug now affects 88 of our products

Cisco's list of products with a Linux kernel denial-of-service flaw is growing.

Cisco: We've killed another critical hard-coded root password bug, patch urgently

This time a 9.8/10-severity hardcoded password has been found in Cisco's video surveillance software.

Cisco critical flaw warning: These 10/10 severity bugs need patching now

Cisco's software for managing software-defined networks has three critical, remotely exploitable vulnerabilities.

Cisco patches critical Nexus flaws: Are your switches vulnerable?

You'll need to wade through Cisco's advisories to work out if software you're running is vulnerable or already fixed.

Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw

Cisco patches two serious authentication bugs and a Java deserialization flaw.

Cisco warns customers of critical security flaws, advisory includes Apache Struts

The massive security update includes a patch for the recently-disclosed Apache bug -- but not all products will be fixed yet.

Cisco updates ASR 9000 edge routing platform to carry users to 5G, multicloud world TechRepublic

New automation software, a new networking processor, and a new operating system will help Cisco customers make the transition to next-generation networking.

Apple and Cisco pool their might to shield companies from cyber risks CNET

Apple and Cisco join forces to protect businesses from risk of cyber threats.

Editorial standards