Cisco is kicking off 2020 with the release of a crop of patches for its Data Center Network Manager.
The updates address a total of 12 CVE-listed patches and range in severity from moderate to critical, though should all be patched regardless of rating. Nearly all were found within the REST and SOAP APIs.
The immediate priority should be cleaning up CVE-201915975, CVE-201915976, and CVE-201915975, a trio of authentication bypass bugs that can be exploited remotely without authentication.
The three flaws are all related to the use of static encryption keys or credentials used by DCNM. CVE-2019-15975 allows an attacker to use the static key via REST API to craft a new, valid session token which grants admin privileges. CVE-2019-15976 describes the same issue via the SOAP API, while CVE-2019-15977 describes static credentials that only allow access to "certain confidential information," but that infomation could be used for other attacks.
Also patched were three path traversal vulnerabilities in DCNM that, while bad in their own right, become an even bigger risk when paired with the above-mentioned authentication bypass bugs. An attacker can exploit the authentication bypass flaws for admin access, then use the path traversal bugs to get access to other devices and data. Those flaws were designated CVE-2019-15980 and CVE-2019-15981.
Cisco slips on a Tolkien ring: One chip design to rule them all, one design to find them. One design to bring them all...READ MORE
CVE-2019-15984 and CVE-2019-15985 are SQL injection flaws inside the REST and SOAP APIs that would allow a remote baddie to send arbitrary SQL commands. Both CVE-2019-15978 and CVE-2019-15979 allow the remote injection of OS commands.
Information disclosure is also possible via CVE-2019-15983, which Cisco describes as an XML External Entity Read Access vulnerability - basically, the bad guy uses SOAP API commands to send XML that can then read arbitrary files. This requires admin access, which, luckily, is awarded via exploiting one of the earlier bypass flaws. Like we said, beware chained exploits.
Finally, there is CVE-2019-15999, a flaw that would allow a remote attacker to get low-privilege access to JBoss Enterprise Application Platform, a component that should only be accessible to local accounts.
Admins are advised to review, test, and install all of the patches as soon as possible. ®