Home & Office

Critical Cisco DCNM flaws: Patch right now as PoC exploits are released

The need to patch Cisco Data Center Network Manager for Nexus switches becomes even more urgent.
Written by Liam Tung, Contributing Writer

It's time to patch recently disclosed flaws in Cisco Data Center Network Manager (DCNM) software after a security researcher published proof-of-concept (PoC) exploit code for three critical authentication-bypass bugs that expose enterprise customers to remote attacks.

Cisco fortunately has released patches and issued an advisory in early January for the flaws, which are tracked as CVE-2019-15975, CVE-2019-15975, and CVE-2019-15977. The three distinct bugs have a joint severity rating of 9.8 out of a possible 10. 

Steven Seeley, the researcher who reported the bugs to Cisco, has now made good on a promise to explain the bugs in more detail and has also published PoC exploit code for the bugs in a blogpost. 

"I share three full exploitation chains and multiple primitives that can be used to compromise different installations and setups of the Cisco DCNM product to achieve unauthenticated remote code execution as SYSTEM/root. In the third chain, I (ab)use the java.lang.InheritableThreadLocal class to perform a shallow copy to gain access to a valid session," explains Seeley. 

SEE: 10 tips for new cybersecurity pros (free PDF)

The DCNM security updates are relevant to enterprise data centers built with its NX-OS-based Nexus switches. 

At the time of Cisco's advisory, Seeley advised users to "uninstall or patch" your DCNM software immediately. That advice is even more pertinent now as attackers may use his PoC exploit code to launch remote attacks on enterprise data centers with Nexus equipment. 

Two of the authentication bypass flaws were in the REST and SOAP APIs and were due to static encryption keys shared between installations. An attacker could exploit the bug by using the static key to craft a valid session token, Cisco warned. The third was caused by the use of static credentials in the web-based management interface of DCNM. 

Seeley's first method for gaining remote code execution (RCE) on DCNM software involves targeting the DCNM installer for Windows and the DCNM ISO Virtual Appliance for VMware. 

The second RCE targets DCNM ISO Virtual Appliance for VMware, and the third RCE targets the DCNM Installer for Windows.

SEE: The dark side of IoT, AI and quantum computing: Hacking, data breaches and existential threat

The researcher details code that an attacker could use to forge their own token and then use a hardcoded key to generate a Single Sign On (SSO) token to bypass authentication on DCNM.     

"Using this bug, we can send a SOAP request to the /DbAdminWSService/DbAdminWS endpoint and add a global admin user that will give us access to all interfaces," wrote Seeley.

That technique was similar to the one used for four DCNM flaws reported by security researcher Pedro Ribeiro last year.

More on Cisco and network security

  • Cisco critical bugs: Nexus data center switch software needs patching now  
  • Cisco: All these routers have the same embedded crypto keys, so update firmware  
  • Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now  
  • Cisco warning: These routers running IOS have 9.9/10-severity security flaw
  • Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • New Cisco critical bugs: 9.8/10-severity Nexus security flaws need urgent update
  • Cisco critical-flaw warning: These two bugs in our data-center gear need patching now
  • Cisco alert: Patch this dangerous bug open to remote attacks via malicious ads
  • Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear
  • Cisco's warning: Patch now, critical SSH flaw affects Nexus 9000 fabric switches
  • Cisco warns over critical router flaw
  • Cisco: These are the flaws DNS hijackers are using in their attacks
  • Cisco bungled RV320/RV325 patches, routers still exposed to hacks
  • Cisco tells Nexus switch owners to disable POAP feature for security reasons
  • Cisco: Patch routers now against massive 9.8/10-severity security hole
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET
  • Editorial standards