It’s time to patch recently disclosed flaws in Cisco Data Center Network Manager (DCNM) software after a security researcher published proof-of-concept (PoC) exploit code for three critical authentication-bypass bugs that expose enterprise customers to remote attacks.
Cisco fortunately has released patches and issued an advisory in early January for the flaws, which are tracked as CVE-2019-15975, CVE-2019-15975, and CVE-2019-15977. The three distinct bugs have a joint severity rating of 9.8 out of a possible 10.
Steven Seeley, the researcher who reported the bugs to Cisco, has now made good on a promise to explain the bugs in more detail and has also published PoC exploit code for the bugs in a blogpost.
“I share three full exploitation chains and multiple primitives that can be used to compromise different installations and setups of the Cisco DCNM product to achieve unauthenticated remote code execution as SYSTEM/root. In the third chain, I (ab)use the java.lang.InheritableThreadLocal class to perform a shallow copy to gain access to a valid session,” explains Seeley.
SEE: 10 tips for new cybersecurity pros (free PDF)
The DCNM security updates are relevant to enterprise data centers built with its NX-OS-based Nexus switches.
At the time of Cisco’s advisory, Seeley advised users to “uninstall or patch” your DCNM software immediately. That advice is even more pertinent now as attackers may use his PoC exploit code to launch remote attacks on enterprise data centers with Nexus equipment.
Two of the authentication bypass flaws were in the REST and SOAP APIs and were due to static encryption keys shared between installations. An attacker could exploit the bug by using the static key to craft a valid session token, Cisco warned. The third was caused by the use of static credentials in the web-based management interface of DCNM.
Seeley’s first method for gaining remote code execution (RCE) on DCNM software involves targeting the DCNM installer for Windows and the DCNM ISO Virtual Appliance for VMware.
The second RCE targets DCNM ISO Virtual Appliance for VMware, and the third RCE targets the DCNM Installer for Windows.
The researcher details code that an attacker could use to forge their own token and then use a hardcoded key to generate a Single Sign On (SSO) token to bypass authentication on DCNM.
“Using this bug, we can send a SOAP request to the /DbAdminWSService/DbAdminWS endpoint and add a global admin user that will give us access to all interfaces,” wrote Seeley.
That technique was similar to the one used for four DCNM flaws reported by security researcher Pedro Ribeiro last year.