Security

Cisco addressed critical flaws in Cisco Data Center Network Manager

Cisco disclosed several vulnerabilities in its Data Center Network Manager (DCNM), including “critical” and “high severity. issues”

Cisco informed its customers about the presence of multiple security vulnerabilities in the web-based interface of the DCNM data center network management platform, including two critical security holes. The first critical issue tracked as CVE-2019-1620 that could be exploited by a remote, unauthenticated attacker to upload arbitrary files to the vulnerable device and execute code with root privileges.

“A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device.” reads the security advisory.

“The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could exploit this vulnerability by uploading specially crafted data to the affected device. A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device.”

The second critical issue, tracked as CVE-2019-1619, could be exploited by a remote attacker to bypass authentication and perform arbitrary activities on the vulnerable devices with admin privileges. The flaw could be exploited by sending a specially crafted HTTP request to the affected device.

“A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.” reads the security advisory.

“The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.”

Cisco also addressed a DCNM issue, tracked as CVE-2019-1621, that could be exploited by a remote attacker to gain access to sensitive files and download them. An unauthenticated attacker could exploit the vulnerability by simply requesting specific URLs.

Another issue addressed by Cisco in the DCNM is a medium ‘severity’ information disclosure issue that could be exploited by an unauthenticated attacker to obtain log files and diagnostic information from the vulnerable device. Finally, Cisco fixed three other serious flaws.

All of these vulnerabilities were discovered the security researcher Pedro Ribeiro through the iDefense Vulnerability Contributor Program. The good news is that Cisco is not aware of attacks in the wild exploiting the flaws.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Cisco Data Center Network Manager, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog<gwmw style="display:none;"></gwmw>

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver…

26 minutes ago

Pwn2Own Berlin 2025 Day Two: researcher earned 150K hacking VMware ESXi

On day two of Pwn2Own Berlin 2025, participants earned $435,000 for demonstrating zero-day in SharePoint,…

12 hours ago

New botnet HTTPBot targets gaming and tech industries with surgical attacks

New botnet HTTPBot is targeting China's gaming, tech, and education sectors, cybersecurity researchers warn. NSFOCUS …

14 hours ago

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

22 hours ago

AI in the Cloud: The Rising Tide of Security and Privacy Risks

Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise…

1 day ago

Google fixed a Chrome vulnerability that could lead to full account takeover

Google released emergency security updates to fix a Chrome vulnerability that could lead to full…

1 day ago