Cisco issues critical patches for Data Center Network Manager

According to multiple security advisories from Cisco, two critical patches were released for vulnerabilities in the Data Center Network Manager. Both vulnerabilities register as a 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS) scale. In layman’s terms, this is about as serious as a security flaw can get. Here’s a closer look at both vulnerabilities.

The first critical vulnerability is (CVE-2019-1620), which has been dubbed the “Cisco Data Center Network Manager Arbitrary File Upload and Remote Code Execution Vulnerability.” Cisco explains the mechanics of the flaw, as well as what attackers can do with it, in the following advisory excerpt:

The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could exploit this vulnerability by uploading specially crafted data to the affected device. A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device.

The second severe flaw is (CVE-2019-1619) which, yet again, is given a verbose name. Entitled the “Cisco Data Center Network Manager Authentication Bypass Vulnerability,” the critical vulnerability is explained as follows:

The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.

One major point to note is that in the case of both vulnerabilities for the Data Center Network Manager, there are no workarounds that sysadmins can employ. The only way to end the possibility of a threat actor leveraging these flaws against your network is to patch. Especially now that the intricate details of the vulnerabilities are public knowledge, thanks to the security advisories, it is imperative to take care of this as soon as possible. The last thing you want is to be that person who is responsible for a security incident that was entirely preventable.

Featured image: Wikimedia/Lalantha123madushanka

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Software-defined perimeter solutions: Why this is the future of security

Traditional VPNs are showing their age in the modern cloud-powered workplace. That’s why software-defined perimeter solutions are in your future.

2 days ago

Why you need to check your virtualization host’s NUMA configuration

Should you disallow NUMA spanning in your Hyper-V architecture? There are two sides to this story, and you’ll get both…

2 days ago

Getting started with Visual Studio Code and integrating with Azure DevOps

Coding may not be the No. 1 job duty for cloud admins, but it is often a part of the…

3 days ago

Apple Event 2019: New iPad, Apple Watch, and more

Apple Event 2019 was more than just about iPhones. The tech giant also rolled out new iPads, an upgraded Apple…

3 days ago

Migrating and configuring Hyper-V passthrough disks

Believe it or not, Hyper-V virtual machines can be configured to use a dedicated physical hard disk, which is referred…

3 days ago

Cut costs and kick back: Use Azure automation accounts for VM utilization

Using Azure automation accounts to start and stop your VMs may just save you enough time to kick back, relax,…

4 days ago