Cisco Data Center software includes remote access flaw
Fri 31 Aug 2018
Cisco has released a patch to a recently-discovered security flaw in the Data Center Network Manager software.
The Data Center Network Manager (DCNM) software is used to manage switches and routers connected through LAN and SAN environments, including the Cisco Nexus switches and MDS enterprise SAN switches.
The vulnerability affects DCNM versions 11.0 or later, exposing sensitive data through a potential directory traversal attack.
The vulnerability is located in the management interface, where user requests may be improperly validated.
Exploiting this vulnerability, hackers could gain remote access to sensitive files by sending malicious requests containing instructions allowing access to the parent directory.
Once in the parent directory, a hacker can access sensitive information stored on the network, or create their own files and insert them into the system.
However, to take this action a hacker would need valid credentials, and to the company’s knowledge, the vulnerability has not yet been exploited in the real world.
A software update has been created to address this issue, however, there is no workaround available for users.
The patch is available only to DCNM customers with a valid software license.
The patch checks the version number through the web interface to see if the vulnerability exists, however, the web interface is not available in older versions of the software.
Researchers at Tenable, who first discovered the error, noted that the path traversal vulnerability is in the Download servlet and that a remote attacker could use this vulnerability to both access files and create directories.
In June of this year, Cisco received a number of questions about its practice of waiting weeks, or even months, before notifying customers of known security issues.
Cisco’s response noted that the delay was built into the notification system, as publicizing a critical vulnerability prior to having a patch for all affected versions would open other customers up to potential exploitation.
“Whenever possible before disclosing any vulnerability, Cisco will ensure that fixed code is available for all platforms affected by that particular vulnerability in order to best protect our customers,” the company noted in a blog post.
“However, implementing the fix into each supported code train for each supported platform will often affect the speed at which vulnerabilities can be remediated for any given platform.”