Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Critical Flaws Found in Cisco Data Center Network Manager

Cisco on Wednesday informed customers that its Data Center Network Manager (DCNM) product is affected by several vulnerabilities, including ones described as “critical” and “high severity.”

Cisco on Wednesday informed customers that its Data Center Network Manager (DCNM) product is affected by several vulnerabilities, including ones described as “critical” and “high severity.”

According to Cisco, the web-based interface of the DCNM data center network management platform is affected by two critical security holes. One of them, tracked as CVE-2019-1620, allows a remote, unauthenticated attacker to upload arbitrary files to the impacted device and execute code with root privileges.

The second critical flaw, identified as CVE-2019-1619, can be exploited by a remote attacker to bypass authentication and perform arbitrary activities on the impacted device with admin privileges. Exploitation of this vulnerability involves sending a specially crafted HTTP request to the affected device.

Another potentially serious vulnerability identified in DCNM is CVE-2019-1621, which allows a remote attacker to gain access to sensitive files and download them. Launching an attack involves requesting specific URLs, with no authentication being required.

Finally, Cisco has learned that DCNM is affected by an information disclosure issue that can be exploited remotely without authentication to obtain log files and diagnostic information from the targeted device. This security hole has been assigned a “medium severity” rating.

The three more serious flaws have been fixed with software updates, but no patches or workarounds appear to be available for the medium-severity issue.

All of these vulnerabilities were reported to Cisco by researcher Pedro Ribeiro through the iDefense Vulnerability Contributor Program and there is no indication that any of them have been exploited for malicious purposes.

Related: Several Vulnerabilities Found in Cisco Industrial Network Director

Advertisement. Scroll to continue reading.

Related: Default Account in Cisco CSPC Allows Unauthorized Access

Related: Cisco Patches Critical Vulnerability in Data Center Switches

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.