Menu
Cisco urges patching flaws in data-center, SD-WAN gear

Cisco urges patching flaws in data-center, SD-WAN gear

Cisco has issued a number of critical security advisories for its data center manager and SD-WAN offerings that customers should deal with now.

Credit: Dreamstime

Cisco has issued a number of critical security advisories for its data center manager and SD-WAN offering customers should deal with now.

On the data center side, the most critical – with a threat score of 9.8 out of 10 – involves a vulnerability in the REST API of Cisco Data Center Network Manager (DCNM) could let an unauthenticated, remote attacker bypass authentication and execute arbitrary actions with administrative privileges on an affected device.

Cisco DCNM lets customers see and control network connectivity  through a single web-based management console for the company’s Nexus, Multilayer Director Switch, and Unified Computing System products.

“The vulnerability exists because different installations share a static encryption key. An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges,” Cisco stated. 

According to Cisco, this vulnerability affects all deployment modes of all Cisco DCNM appliances that were installed using .ova or .iso installers and Cisco DCNM software releases 11.0, 11.1, 11.2, and 11.3.

The company issued eight other security warnings in the DCNM package, one of the worst being a 8.2-rated High vulnerability in REST API endpoints of DCNM could let an authenticated, remote attacker inject arbitrary commands on the underlying operating system with the privileges of the logged-in user.

The vulnerability is due to insufficient validation of user-supplied input to the API. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to inject arbitrary commands on the underlying operating system, Cisco said.

Other high-rated REST API security holes in DCNM were revealed as well.

As for the SD-WAN warnings, Cisco deemed two of them critical.  The first, with a security-threat rating of 9.9, describes a weakness in the web-based management interface of Cisco SD-WAN vManage Software that could let an authenticated, remote attacker bypass authorization, enabling them to access sensitive information, modify the system configuration, or impact the availability of the affected system.

The vulnerability is due to insufficient authorization checking on the affected system. An attacker could exploit this weakness by sending crafted HTTP requests to the web-based management interface of an affected system, Cisco stated. A successful exploit could allow the attacker to gain privileges beyond what would normally be authorized for the configured user-authorization level. The attacker may be able to access sensitive information, modify the system configuration, or affect system availability, Cisco stated.

The second critical warning, with a security threat rating of 9.8, is a vulnerability in Cisco SD-WAN Solution Software that could let an unauthenticated, remote attacker cause a buffer overflow on an affected device.

The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to gain access to information that they are not authorized to access, make changes to the system that they are not authorized to make, and execute commands on an affected system with privileges of the root user, Cisco said.

Vulnerable products include: IOS XE SD-WAN Software, SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software.

Cisco said there were no workarounds that address these vulnerabilities and that it had released software updates that address all of the weaknesses.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments