Cisco Systems warned customers to patch their Data Center Network Manager (DCNM) system to fix serious security vulnerabilities in the software.
Cisco Systems is urging customers to patch their Data Center Network Manager (DCNM), a management system for Cisco’s Unified Fabric. Updates are addressing serious multiple authentication vulnerabilities. According to Cisco’s statement, there are no workarounds to the problems, so patches are urgent. The vulnerabilities affect all versions of DCNM earlier than 11.3 for Windows, Linux, and virtual appliance platforms.
Authentication vulnerabilities
- CVE-2019-15975 vulnerability affects the REST API endpoint. An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges.
- CVE-2019-15976 affects the SOAP API endpoint. This flaw can be exploited by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the SOAP API with administrative privileges.
- CVE-2019-15977 is a vulnerability in DCNM’s web-based management interface. A successful exploit could allow the attacker to access a specific section of the web interface and obtain certain confidential information from an affected device. This information could be used to conduct further attacks against the system.