Cisco Data Center Network Manager flaws fixed, Cisco ASA appliances under attack
Cisco has fixed 12 vulnerabilities in Cisco Data Center Network Manager (DCNM), a platform for managing Cisco switches and fabric extenders that run NX-OS, and has warned about a spike in exploitation attempts of an old flaw affecting Cisco Adaptive Security Appliance (ASA) and Firepower Appliance software.
Cisco Data Center Network Manager vulnerabilities
Three critical vulnerabilities (CVE-2019-15975, CVE-2019-15976 and CVE-2019-15977) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.
“The vulnerabilities are not dependent on one another; exploitation of one of the vulnerabilities is not required to exploit another vulnerability,” Cisco shared.
They are present in APIs and the solution’s web-based management interface, and are caused by static encryption keys and credentials.
The other plugged holes include SQL injection, path traversal, command injection, and read access vulnerabilities, caused by insufficient validation of user-supplied input to some of the solution’s APIs.
There are no workarounds that address any of these, so the company advises administrators to upgrade their Cisco DCNM installations to software releases 11.3(1) and later as soon as possible.
The good news is that they’ve all been discovered and reported by Steven Seeley of Source Incite and are not being actively exploited.
Additionally, Cisco plugged CVE-2019-15999, a security hole in DCNM’s JBoss Enterprise Application Platform (EAP), which exists due to incorrectly configured authentication settings.
Cisco ASA appliances under attack
For those who might have missed it, it’s worth pointing out that Cisco Talos recently warned about a spike in exploitation attempts against CVE-2018-0296, a DoS and information disclosure directory traversal bug in Cisco Adaptive Security Appliance (ASA) and Firepower Appliance software.
“This vulnerability was first noticed being exploited publicly back in June 2018, but it appeared to increase in frequency in the past several days and weeks. As such, we are advising all customers to ensure they are running a non-affected version of code,” threat researcher Nick Biasini noted in late December.
“Additionally, we want to highlight that there is a Snort signature in place to detect this specific attack (46897). Concerned customers should ensure it is enabled in applicable policies that could detect this exploitation attempt.”
Several PoCs for the vulnerability have been published on GitHub since the vulnerability was first disclosed.