Cisco fixes critical flaws in data center and SD-WAN solutions

Cisco has released another batch of critical security updates for flaws in Cisco Data Center Network Manager (DCMN) and the Cisco SD-WAN Solution software.

Cisco data center flaws

Cisco Data Center Network Manager flaws

Cisco Data Center Network Manager is the network management platform for all NX-OS-enabled deployments, spanning new fabric architectures, IP Fabric for Media, and storage networking deployments for the Cisco Nexus-powered data center.

These latest updates fix:

  • One critical authentication bypass vulnerability (CVE-2020-3382) in the solution’s REST API that could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device
  • Five high-risk flaws that could allow an authenticated, remote attacker to inject arbitrary commands on the affected device, write arbitrary files in the system with the privileges of the logged-in user, perform arbitrary actions through the REST API with administrative privileges, and interact with and use certain functions within the Cisco DCNM
  • Three medium-risk bugs (XSS, SQL injection, information disclosure)

The vulnerabilities affect various versions of the Cisco Data Center Network Manager software and their exploitability occasionally depends on how the Cisco DCNM appliances were installed. But the fixes are all included in the latest Cisco DCNM software releases: 11.4(1) and later.

The flaws were either reported by security researchers or found by Cisco during internal security testing, and there is no indication that any of them are actively exploited.

The Cisco SD-WAN Solution software flaws

Cisco SD-WAN gives users the ability to manage connectivity across their WAN from a single dashboard: the Cisco vManage console.

The company has found:

  • A critical buffer overflow vulnerability (CVE-2020-3375) affecting Cisco SD-WAN Solution software that could be exploited by sending crafted traffic to an affected device and could allow the attacker to gain access to information that they are not authorized to access, make changes to the system that they are not authorized to make, and execute commands on an affected system with privileges of the root user
  • A critical vulnerability (CVE-2020-3374) in the web-based management interface of Cisco SD-WAN vManage Software that could be exploited by sending crafted HTTP requests to it and could allow the attacker to access sensitive information, modify the system configuration, or impact the availability of the affected system.

Again, there is no indication that these flaws are being exploited, but Cisco urges admins to implement the security updates as soon as possible, as there are no workarounds for addressing these flaws.

Security advisories for all of the fixed flaws can be found here.

Don't miss