Cisco has disclosed a critical security vulnerability in Cisco Data Center Network Manager (DCNM), a key piece of Cisco's data-center automation software for its widely used MDS and Nexus line of networking hardware.
During internal testing, Cisco discovered that a bug in the REST application protocol interface (API) of DCNM could allow anyone on the internet to skip over the web interface's log in and carry out actions as if they were an administrator of the device.
The newly disclosed bug, tagged as CVE-2020-3382, is similar to the static encryption key flaw in DCNM that an external researcher discovered earlier this year.
SEE: IT Data Center Green Energy Policy (TechRepublic Premium)
The static key lets attackers use it to generate a valid session token on an affected device and do whatever they want through the REST API with administrative privileges.
"The vulnerability exists because different installations share a static encryption key. An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges," explains Cisco in the advisory.
Admins need to install the latest versions of Cisco's DCNM software releases to shut down the bug since there are no workarounds. However, Cisco notes it is not aware of attackers using this flaw yet.
The bug has a severity rating of 9.8 out of a possible 10, and affects DCNM software releases 11.0(1), 11.1(1), 11.2(1), and 11.3(1).
Cisco also reported a critical flaw with a severity rating of 9.9 in the web interface of its Cisco SD-WAN vManage software.
The bug, tracked as CVE-2020-3374, lets a person on the internet with the right credentials attack a system after bypassing authorization. From there, attackers could reconfigure a system and knock it offline or access sensitive information.
"The vulnerability is due to insufficient authorization checking on the affected system. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system," explained Cisco.
"A successful exploit could allow the attacker to gain privileges beyond what would normally be authorized for their configured user authorization level. The attacker may be able to access sensitive information, modify the system configuration, or impact the availability of the affected system."
SEE: Cisco releases security fixes for critical VPN, router vulnerabilities
Again, there are no workarounds, so admins need to install fixed releases from various software trains of Cisco SD-WAN vManage. Devices using releases 18.3 or prior will need to migrate to fixed releases from newer trains.
Fortunately, this bug was also discovered during a Cisco investigation with a customer. The company is not aware of public exploits for the vulnerability.
More on Cisco and network securityCisco's warning: Critical flaw in IOS routers allows 'complete system compromise'
Cisco warns: These Nexus switches have been hit by a serious security flaw
Cisco: Critical Java flaw strikes 'call center in a box', patch urgently
Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching
Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco
Cisco: Patch this critical firewall bug in Firepower Management Center
Critical Cisco DCNM flaws: Patch right now as PoC exploits are released
Cisco critical bugs: Nexus data center switch software needs patching now
Cisco: All these routers have the same embedded crypto keys, so update firmware
Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now
Cisco warning: These routers running IOS have 9.9/10-severity security flaw
Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw
Seriously? Cisco put Huawei X.509 certificates and keys into its own switchesHow to improve cybersecurity for your business: 6 tips TechRepublic
New cybersecurity tool lets companies Google their systems for hackers CNET