A trio of critical vulnerabilities in Cisco Data Center Network Manager (DCNM) product could let hackers remotely bypass authentication and waltz into enterprises’ data centre systems, owing to rudimental security errors including hard coded credentials
The trio of bugs were among a colossal 120+ vulnerabilities in the product found by security researcher Steven Seeley — who runs Source Incite — then reported to the company via a bug bounty programme, Trend Micro’s Zero Day Initiative.
The Australia-born server-side web security specialist told Computer Business Review that the trio of vulnerabilities (given a CVSS score of 9.8) were “literally the worst [they] could be [providing an attacker with] unauthenticated remote code execution as root…
He added: “[A hacker] could access anything, all data, credentials, etc.”
(Months earlier in late September 2019, he was turned down for a job with Cisco’s security team, Talos, after “eight interviews” he says. We suspect just the faintest soupcon of schadenfreude could be detected as the reports were filed to the ZDI).
Interviewing with @TalosSecurity
Them: So if you get the job you can't audit any of our products
… *8 interviews later* …
Them: Sorry, but you didn't get the job
— ϻг_ϻε (@steventseeley) September 27, 2019
Cisco said this week it has patched the bugs in the DCNM (designed as a “comprehensive management solution for all NX-OS network deployments spanning LAN fabrics, SAN fabrics, and IP Fabric for Media (IPFM) networking in the data center powered by Cisco”) and users have been urged to update the software as a matter of urgency.
Read this: Software Patch Management: Tips, Tricks and Stern Warnings
Unfortunately, as Computer Business Review’s readers will be only too aware, not all enterprises were created equal when it comes to patch management, with far too many neglecting critical patches — a high-risk approach for any business at the best of times.
Cisco Data Center Network Manager – Patch Now
Seeley told Computer Business Review that he would be releasing the source code next week, saying that the bugs were “trivial” to exploit — although they had taken some extensive research to find, initially. In a Twitter DM, he told us: “It took a month of auditing; some proper source code review and run time debugging.
“But exploitation is trivial”.
He plans to release the exploit code next week, by which point credible users will, hopefully, have done the right thing and promptly patched. (The vulnerabilities have been given the CVSS of 9.8 — about as bad as it gets).
In a security update, Cisco noted that the three vulnerabilities are not a change of attacks dependent on one another; they are three, independent bad flaws: “Exploitation of one of the vulnerabilities is not required to exploit another vulnerability.
One of the three attacks boils down to the presence of hard-coded credentials: CVE-2019-15977 is a vulnerability in the web-based management interface of Cisco DCNM that could allow an unauthenticated, remote attacker to bypass authentication.
The second, CVE-2019-15975, is a vulnerability in the REST API endpoint, again, because a “static encryption key is shared between installations.”
As Cisco warns: “An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges.
The same issue applies to the third vulnerability, which resides in the SOAP API endpoint of the Cisco Data Center Network Manager.
Patches are available for releases 11.3(1) and later. Users who haven’t patched yet can download the software from the Software Center on Cisco.com.
- Click Browse All.
- Choose Cloud and Systems Management > Data Center Infrastructure Management > Data Center Network Manager.
- Choose a release from the left pane of the Data Center Network Manager page.
Critics said Cisco’s track record of security was beginning to be concerning.
SecureData‘s Carl Morris and Wicus Ross told Computer Business Review: “Cisco has a history of issuing security updates that removes static keys or hardcoded credentials. This type of security flaw speaking in the most flattering terms equates to extreme laziness and negligence from a software development and quality assurance point of view. It could also be viewed with suspicion as it resembles what some might call a ‘backdoor’.
They added: “SecureData manages several security products on behalf of its clients and we have found that there is a long delay between patch availability and applying the patch. This mostly comes down to lengthy change control and approval processes. In the meantime, attackers are crafting exploits.
“Smaller nation states can launch cyber-attacks against businesses, normally protected by their military in an armed conflict, with measurable dollar value impact. This type of cyber-conflict will become more evident given the increase in current geopolitical tensions.”