Security Experts:

Critical Flaws Found in Cisco Data Center Network Manager

Cisco on Wednesday informed customers that its Data Center Network Manager (DCNM) product is affected by several vulnerabilities, including ones described as “critical” and “high severity.”

According to Cisco, the web-based interface of the DCNM data center network management platform is affected by two critical security holes. One of them, tracked as CVE-2019-1620, allows a remote, unauthenticated attacker to upload arbitrary files to the impacted device and execute code with root privileges.

The second critical flaw, identified as CVE-2019-1619, can be exploited by a remote attacker to bypass authentication and perform arbitrary activities on the impacted device with admin privileges. Exploitation of this vulnerability involves sending a specially crafted HTTP request to the affected device.

Another potentially serious vulnerability identified in DCNM is CVE-2019-1621, which allows a remote attacker to gain access to sensitive files and download them. Launching an attack involves requesting specific URLs, with no authentication being required.

Finally, Cisco has learned that DCNM is affected by an information disclosure issue that can be exploited remotely without authentication to obtain log files and diagnostic information from the targeted device. This security hole has been assigned a “medium severity” rating.

The three more serious flaws have been fixed with software updates, but no patches or workarounds appear to be available for the medium-severity issue.

All of these vulnerabilities were reported to Cisco by researcher Pedro Ribeiro through the iDefense Vulnerability Contributor Program and there is no indication that any of them have been exploited for malicious purposes.

Related: Several Vulnerabilities Found in Cisco Industrial Network Director

Related: Default Account in Cisco CSPC Allows Unauthorized Access

Related: Cisco Patches Critical Vulnerability in Data Center Switches

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.