Just six months ago Cisco was forced to patch a trio of critical vulnerabilities in its Data Center Network Manager (DCNM) — a widely used network management platform. The bugs included hard coded credentials (bad) and gave a remote attacker unauthenticated remote code execution as a root user (very bad). They were also “trivial” to exploit.
The bugs were among 120+ vulnerabilities (really) in DCNM reported to Cisco by security researcher Steven Seeley. Half a year later, customers would be forgiven for wondering how much of a Swiss cheese the product is, because the critical security holes keep coming — with some familiar flavours. (There is some good news however.)
Data Center Network Manager Vulnerabilities: What’s New?
Late Thursday (July 30) Cisco patched yet another critical (CVSS 9.8) security vulnerability in DCNM that was the apparent result of a design flaw.
This bug, CVE-2020-3382, was in the REST API and affects all deployment modes of all Cisco DCNM appliances that were installed using .ova or .iso installers, for releases 11.0(1), 11.1(1), 11.2(1), and 11.3(1). (The bug doesn’t impact customer-provided OSs using the DCNM installer for Windows or Linux; a healthy chunk of users).
Exploitation would allow — in Cisco’s own words — an “unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.” From nothing, to everything, in short; skipping over the DCNM’s panel without logins to play petite God on someone’s network.
Earlier this year SecureData‘s Carl Morris and Wicus Ross told Computer Business Review that Cisco has a “history of issuing security updates that removes static keys or hardcoded credentials”, describing this issue as “in the most flattering terms equates to extreme laziness and negligence from a software development and QA point of view”.
It may prove troubling for customers, as a result, that the vulnerability (again) exists — as Cisco puts it — “because different installations share a static encryption key.
“An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges.”
(The bug sounds worryingly similar to January’s flaw; enough so to suggest that perhaps the initial patch wasn’t substantial enough or wide-reaching enough. Better news: this time it was spotted internally, rather than by a third-party).
What else is new?
Cisco also patched five high-severity flaws in DCNM, including two command-injection flaws (CVE-2020-3377 and CVE-2020-3384); a path traversal issue (CVE-2020-3383) and another authorisation flaw (CVE-2020-3386) — although an attacker, for the latter, would need some privileges to start the attack authentication bypass glitch (CVE-2020-3376) allowing an unauthenticated, remote attacker to bypass authentication.
Yet another critical (CVSS 9.8) vulnerability, CVE-2020-3375, meanwhile, has been patched by Cisco in Cisco SD-WAN Solution Software. This affects
- IOS XE SD-WAN Software
- SD-WAN vBond Orchestrator Software
- SD-WAN vEdge Cloud Routers
- SD-WAN vEdge Routers
- SD-WAN vManage Software
- SD-WAN vSmart Controller Software
Again, it gives a remote, pre-auth attacker root. There are no mitigations, so sysadmins will want to get patching at the earliest opportunity, if not already done.
A Cisco spokesperson told Computer Business Review: “At Cisco, we disclose vulnerabilities regardless of how the vulnerability was found or who found it. In fact, the majority of our disclosures are vulnerabilities that we find internally. We disclose these vulnerabilities with a goal of helping customers understand and manage their risk. Our commitment is to be trustworthy, transparent, and accountable.
“Our goal at Cisco is to always try to reduce the number of vulnerabilities and continuously enhance our products. Unfortunately, despite the best efforts of technology vendors, security vulnerabilities do still occur.
“We are actively developing new tools and techniques to identify and resolve these issues before they reach our customers.”
See also: 62,000 Devices Infected by Mystery Attackers: Threat Vector Still Unknown