Network Security, Patch/Configuration Management, Vulnerability Management

Cisco repairs 12 bugs in its Data Center Network Manager

Cisco Systems this month issued six security advisories disclosing a total of 12 vulnerabilities the Data Center Network Manager, three of them critical.

Designated CVE-2019-15975, CVE-2019-15976 and CVE-2019-15977, the three most serious flaws could enable unauthenticated, remote attackers to bypass authentication measures and execute malicious actions with admin-level privileges. Collectively, the trio of vulnerabilities were assigned a CVSS base score of 9.8.

The first two were respectively found in the REST API endpoint and SOAP API endpoint, and is caused by the sharing of a static encryption key between installations. The remaining critical flaw was discovered in the web-based management interface and is due to static credentials.

Uncovered by Steven Seeley (aka mr_me) of Source Incite, in conjunction with Trend Micro’s Zero Day Initiative, these issues were fixed in Cisco DCNM Software releases 11.3(1) and later, as were the remaining bugs.

Of the seven high-level vulnerabilities, two are SQL injection flaws, three are path traversal bugs and two are command injection conditions. The two remaining, medium-level bugs consist of an XML external entity read access vulnerability and a JBoss EAP unauthorized access vulnerability.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.