New Cisco critical bugs: 9.8/10-severity Nexus security flaws need urgent update

Admins using Cisco's automation software or Nexus kit should patch now.

Cisco: DNS attacks will undermine trust in the internet Sophisticated hacking group taps wide set of vulnerabilities as part of their global hacking spree.

Cisco has revealed two more highly critical security bugs affecting its data-center software, a week after telling customers to patch core network-management products.  

The newly disclosed bugs affect Cisco's Data Center Network Manager (DCNM) software and once again are in its web-based management interface. 

Both flaws can be exploited by anyone on the internet and are rated as critical, with severity ratings of 9.8 out of 10. 

SEE: 10 tips for new cybersecurity pros (free PDF)

DCNM is the network management system for all NX-OS systems that use Cisco's Nexus hardware in data centers. The software is used to automate provisioning, troubleshooting, and spotting configuration errors. 

In other words, it's a crucial piece of software for organizations that use Nexus switches, whose NX-OS operating system got patches for an equally severe flaw in May.    

The first issue, CVE-2019-1619, is an authentication bypass in DCNM's web interface that allows an attacker to take a valid session cookie without knowing the admin user password. 

Attackers would need to send a specially crafted HTTP request to an undisclosed but specific web servlet on affected devices to get that session cookie. Should attackers gain the cookie, they'd be able to control the device with administrative privileges. 

Cisco has now excised that particular web servlet in DCNM software release 11.1(1). However, it had deprecated the servlet in release 11.0(1), meaning it had removed the attack vector in that version already. 

The company is urging customers to upgrade to DCNM software release 11.1(1), which it released in early May. Cisco urges customers to upgrade to 11.1(1) or later to address the issue. 

The second flaw would allow anyone on the internet to upload malicious files on the DCNM filesystem on affected devices. Again, this bug is due to an undisclosed but specific web servlet that Cisco removed completely in software release 11.2(1), which Cisco released in June.  

"The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could exploit this vulnerability by uploading specially crafted data to the affected device," Cisco explained in its advisory for the bug CVE-2019-1620.  

"A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device."

While customers on DCNM release 11.2(1) and later should be safe, Cisco notes that attackers targeting release 11.1(1) could gain unauthenticated access to the affected web servlet and exploit the flaw. In the 11.0(1) release, an attacker would need to be authenticated to the DCNM web interface to exploit it.

Both bugs were found by Pedro Ribeiro, who reported the bug through iDefense's Vulnerability Contributor Program. Cisco said it is not currently aware of any attacks that exploit these bugs. 

More on Cisco and security