CVE-2019-15975，CVE-2019-15976，CVE-2019-15977： Critical Authentication Bypass Vulnerabilities in Cisco Data Center Network Manager

Cisco kicks off 2020 with 12 CVEs in Cisco Data Center Network Manager, including three critical authentication bypass vulnerabilities.

背景

On January 2, Cisco published a series of advisories for Cisco Data Center Network Manager (DCNM), a platform for managing Cisco’s data center deployments equipped with Cisco’s NX-OS. A total of 12 vulnerabilities were found and reported to Cisco, 11 of which were discovered by Steven Seeley of Source Incite.

Uninstall or patch you Cisco DCNM now!https://t.co/P0oBRvgg4f

— ϻг_ϻε (@steventseeley) January 2, 2020

分析

Of the 12 vulnerabilities patched by Cisco, the most severe include a trio of critical authentication bypass flaws, two of which reside in DCNM API endpoints.

CVE-2019-15975 and CVE-2019-15976 are authentication bypass vulnerabilities in the REST API and SOAP API endpoints for Cisco DCNM due to the existence of a static encryption key shared between installations. A remote, unauthenticated attacker could gain administrative privileges through either the REST API or SOAP API by sending a specially crafted request that includes a valid session token generated using the static encryption key.

CVE-2019-15977 is an authentication bypass vulnerability in the web-based management interface for Cisco DCNM because of the use of static credentials. A remote, unauthenticated attacker could use these static credentials to extract sensitive information from the vulnerable device, enabling them to perform additional attacks.

Utilizing these authentication bypass vulnerabilities, attackers could leverage the remaining flaws patched by Cisco, which include command injection vulnerabilities (CVE-2019-15978, CVE-2019-15979), SQL injection vulnerabilities (CVE-2019-15984, CVE-2019-15985), path traversal vulnerabilities (CVE-2019-15980, CVE-15981, CVE-2019-15982) and an XML external entity vulnerability (CVE-2019-15983).

Seeley’s discovery of these vulnerabilities in Cisco DCNM was inspired by four flaws reported back in June 2019 by security researcher Pedro Ribeiro, including CVE-2019-1619, an authentication bypass flaw in the DCNM’s web-based management interface.

Your work inspired me my friend :->

— ϻг_ϻε (@steventseeley) January 2, 2020

Additionally, Cisco patched CVE-2019-15999, a vulnerability in the DCNM’s JBoss Enterprise Application Platform (EAP) reported by Harrison Neal of PatchAdvisor. This flaw exists because the authentication settings on the EAP were incorrectly configured.

概念验证

At the time this blog post was published, no proof-of-concept code has been released for any of the reported vulnerabilities.

解决方案

Cisco released updates to correct each of the specified vulnerabilities. Affected versions of Cisco DCNM software include releases earlier than 11.3 (1). We recommend reviewing the linked advisories under the “Get more information” section below.

识别受影响的系统

用于识别这些漏洞的 Tenable 插件列表在发布时将显示在此处。

获取更多信息

• Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
• Cisco Data Center Network Manager SQL Injection Vulnerabilities
• Cisco Data Center Network Manager Path Traversal Vulnerabilities
• Cisco Data Center Network Manager Command Injection Vulnerabilities
• Cisco Data Center Network Manager XML External Entity Read Access Vulnerability
• Cisco Data Center Network Manager JBoss EAP Unauthorized Access Vulnerability

加入 Tenable Community 中的 Tenable 安全响应团队

了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息，全面管理现代攻击面。

获取 30 天免费试用版 Tenable.io Vulnerability Management。