A researcher has publicly released some proof-of-concept (PoC) exploits and technical details for flaws in Cisco’s Data Center Network Manager (DCNM).

Early this month, Cisco released security updates for its Cisco’s Data Center Network Manager (DCNM) product that address several critical and high-severity vulnerabilities.

All the vulnerabilities were reported to Cisco through Trend Micro’s Zero Day Initiative (ZDI) and Accenture’s iDefense service by the security researcher Steven Seeley of Source Incite and Harrison Neal from PatchAdvisor.

Cisco published six advisories for a dozen vulnerabilities, eleven of them were reported by Seeley, three of these issues have been rated as critical and seven as high severity. The issues reported by Neal have been rated as medium severity.

Some of the critical flaws addressed by Cisco in DCNM could be exploited by attackers to bypass authentication and execute arbitrary actions with admin privileges on the vulnerable devices.

“Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.” reads the advisory published by Cisco.

“For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.”

The vulnerabilities have been tracked as CVE-2019-15975, CVE-2019-15976 and CVE-2019-15977. The issues affect the REST API endpoint, the SOAP API endpoint and the web-based management interface.

Cisco also addressed two of the high-severity SQL injection flaws that could be exploited by an attacker with administrative privileges to execute arbitrary SQL commands on a vulnerable device.

Three of the high-severity weaknesses could be exploited by an attacker to conduct path traversals, and two other high-severity issues by exploited by an attacker with admin rights to inject arbitrary commands on the underlying operating system.

Seeley provided technical details for three remote code execution chains and various techniques implemented in his exploits.

“In this post, I share three (3) full exploitation chains and multiple primitives that can be used to compromise different installations and setups of the Cisco DCNM product to achieve unauthenticated remote code execution as SYSTEM/root. In the third chain, I (ab ) use the java . lang . InheritableThreadLocal class to perform a shallow copy to gain access to a valid session.” wrote Seeley in a blog post.

Cisco only assigned 11 CVE identifiers to the flaws reported by Seeley, who anyway has found over 100 exploitable bugs, including a hundred SQL injection issues, two command injections, four instances of hardcoded keys and credentials, four cases of XML external entity (XXE) injection, and 20 file read/write/delete issues.

Cisco has updated the advisories informing its customers of the availability of PoC exploits.

“The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory.” states Cisco.

“Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory. “

Pierluigi Paganini

(SecurityAffairs – Ciaco DCNM, hacking)