Cisco has disclosed a critical security vulnerability in Cisco Data Center Network Manager (DCNM), a key piece of Cisco's data-center automation software for its widely used MDS and Nexus line of networking hardware.
During internal testing, Cisco discovered that a bug in the REST application protocol interface (API) of DCNM could allow anyone on the internet to skip over the web interface's log in and carry out actions as if they were an administrator of the device.
The newly disclosed bug, tagged as CVE-2020-3382, is similar to the static encryption key flaw in DCNM that an external researcher discovered earlier this year.
SEE: IT Data Center Green Energy Policy (TechRepublic Premium)
The static key lets attackers use it to generate a valid session token on an affected device and do whatever they want through the REST API with administrative privileges.
"The vulnerability exists because different installations share a static encryption key. An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges," explains Cisco in the advisory.
Admins need to install the latest versions of Cisco's DCNM software releases to shut down the bug since there are no workarounds. However, Cisco notes it is not aware of attackers using this flaw yet.
The bug has a severity rating of 9.8 out of a possible 10, and affects DCNM software releases 11.0(1), 11.1(1), 11.2(1), and 11.3(1).
Cisco also reported a critical flaw with a severity rating of 9.9 in the web interface of its Cisco SD-WAN vManage software.
The bug, tracked as CVE-2020-3374, lets a person on the internet with the right credentials attack a system after bypassing authorization. From there, attackers could reconfigure a system and knock it offline or access sensitive information.
"The vulnerability is due to insufficient authorization checking on the affected system. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system," explained Cisco.
"A successful exploit could allow the attacker to gain privileges beyond what would normally be authorized for their configured user authorization level. The attacker may be able to access sensitive information, modify the system configuration, or impact the availability of the affected system."
Again, there are no workarounds, so admins need to install fixed releases from various software trains of Cisco SD-WAN vManage. Devices using releases 18.3 or prior will need to migrate to fixed releases from newer trains.
Fortunately, this bug was also discovered during a Cisco investigation with a customer. The company is not aware of public exploits for the vulnerability.