Critical vulnerabilities found in Cisco Data Center Network Manager

Vulnerability testing specialists reported the existence of multiple flaws in the Cisco Data Center Network Manager (DCNM) software authentication mechanism, which runs on Nexus data center switches.

This is a central management panel for Cisco Nexus-based data center structures that performs automation, configuration control, flow policy management, and real-time status details.

There are reportedly three different vulnerabilities, each with a score of 9.8/10 in the Common Vulnerability Scoring System (CVSS); according to vulnerability testing specialists, if exploited, these flaws would allow a remote hacker to bypass authentication and perform arbitrary activities with administrator privileges on the vulnerable system.

In addition, the report mentions that this is not an attack chain, so it is possible to abuse only one of these vulnerabilities without exploiting the remaining two. Also, a software version could be affected by only one or two of these failures, the set of three vulnerabilities do not necessarily affect all versions of DCNM.

The three serious vulnerabilities discovered are described below:

  • REST API authentication bypass vulnerability: A flaw in the Cisco DCNM REST API endpoint would allow a remote hacker to bypass authentication; this flaw exists due to a static encryption key shared between installations, vulnerability testing specialists say
  • SOAP API bypass vulnerability: A security weakness in the Cisco DCNM SOAP API endpoint could allow an unauthenticated remote attacker to bypass authentication in the failed-impacted deployment
  • Authentication bypass vulnerability: A weakness in the Cisco DCNM web management interface would allow a remote threat actor to skip the authentication step on the affected device

In addition to disclosing these three serious vulnerabilities to the public, reports were released on multiple media security flaws related to REST and SOAP APIs. These minor errors include:

  • REST API SQL injection vulnerability: Exploiting this vulnerability would allow an authenticated remote attacker with administrative privileges to execute arbitrary SQL commands on an affected device
  • REST API command injection vulnerability: A security flaw in the Cisco DCNM REST API could allow an authenticated hacker with administrator privileges in the DCNM application to inject arbitrary commands into the underlying operating system

The International Institute of Cyber Security (IICS) recommends that users of the affected system keep abreast of any upgrades issued by Cisco, in addition to installing any security patches that the company deems necessary.