It's time to patch recently disclosed flaws in Cisco Data Center Network Manager (DCNM) software after a security researcher published proof-of-concept (PoC) exploit code for three critical authentication-bypass bugs that expose enterprise customers to remote attacks.
Cisco fortunately has released patches and issued an advisory in early January for the flaws, which are tracked as CVE-2019-15975, CVE-2019-15975, and CVE-2019-15977. The three distinct bugs have a joint severity rating of 9.8 out of a possible 10.
Steven Seeley, the researcher who reported the bugs to Cisco, has now made good on a promise to explain the bugs in more detail and has also published PoC exploit code for the bugs in a blogpost.
"I share three full exploitation chains and multiple primitives that can be used to compromise different installations and setups of the Cisco DCNM product to achieve unauthenticated remote code execution as SYSTEM/root. In the third chain, I (ab)use the java.lang.InheritableThreadLocal class to perform a shallow copy to gain access to a valid session," explains Seeley.
SEE: 10 tips for new cybersecurity pros (free PDF)
The DCNM security updates are relevant to enterprise data centers built with its NX-OS-based Nexus switches.
At the time of Cisco's advisory, Seeley advised users to "uninstall or patch" your DCNM software immediately. That advice is even more pertinent now as attackers may use his PoC exploit code to launch remote attacks on enterprise data centers with Nexus equipment.
Two of the authentication bypass flaws were in the REST and SOAP APIs and were due to static encryption keys shared between installations. An attacker could exploit the bug by using the static key to craft a valid session token, Cisco warned. The third was caused by the use of static credentials in the web-based management interface of DCNM.
Seeley's first method for gaining remote code execution (RCE) on DCNM software involves targeting the DCNM installer for Windows and the DCNM ISO Virtual Appliance for VMware.
The second RCE targets DCNM ISO Virtual Appliance for VMware, and the third RCE targets the DCNM Installer for Windows.
SEE: The dark side of IoT, AI and quantum computing: Hacking, data breaches and existential threat
The researcher details code that an attacker could use to forge their own token and then use a hardcoded key to generate a Single Sign On (SSO) token to bypass authentication on DCNM.
"Using this bug, we can send a SOAP request to the /DbAdminWSService/DbAdminWS endpoint and add a global admin user that will give us access to all interfaces," wrote Seeley.
That technique was similar to the one used for four DCNM flaws reported by security researcher Pedro Ribeiro last year.
More on Cisco and network securityCisco critical bugs: Nexus data center switch software needs patching now
Cisco: All these routers have the same embedded crypto keys, so update firmware
Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now
Cisco warning: These routers running IOS have 9.9/10-severity security flaw
Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw
Seriously? Cisco put Huawei X.509 certificates and keys into its own switchesNew Cisco critical bugs: 9.8/10-severity Nexus security flaws need urgent updateCisco critical-flaw warning: These two bugs in our data-center gear need patching now
Cisco alert: Patch this dangerous bug open to remote attacks via malicious adsThrangrycat flaw lets attackers plant persistent backdoors on Cisco gearCisco's warning: Patch now, critical SSH flaw affects Nexus 9000 fabric switchesCisco warns over critical router flawCisco: These are the flaws DNS hijackers are using in their attacksCisco bungled RV320/RV325 patches, routers still exposed to hacksCisco tells Nexus switch owners to disable POAP feature for security reasonsCisco: Patch routers now against massive 9.8/10-severity security holeHow to improve cybersecurity for your business: 6 tips TechRepublicNew cybersecurity tool lets companies Google their systems for hackers CNET