Cisco warns of a serious vulnerability in its data center software
Cisco Data Center Network Manager (DCNM) |
Cisco reports a critical vulnerability in Cisco Data Center Network Manager (DCNM). The automation software is widely used for network hardware of the product series MDS and Nexus. During internal testing, the company discovered that a bug in the software’s REST API allows attackers to bypass authentication and control a device with administrator privileges.
The vulnerability with the CVE-2020-3382 identifier is similar to a vulnerability in DCNM recently discovered by an external security researcher. A static key allowed hackers to generate a valid session token and take full control of a device via the REST API.
Patch now: Cisco warns of nasty bug in its data center software
Also with the new security hole a static key is the trigger. An attacker could exploit this vulnerability by using the static key to create a valid session token. "A successful attack could allow the attacker to perform arbitrary actions via the REST API with administrator privileges," Cisco said.
A patch is already available and administrators should install the latest version of Cisco DCNM. According to Cisco, there are no known active attacks on the security breach. The company also points out that it does not provide a makeshift solution and only the patch fixes the vulnerability.
The error is rated with 9.8 points in the ten-step Common Vulnerability Scoring System (CVSS). Affected are the DCNM versions 11.0(1), 11.1(1), 11.2(1) and 11.3(1).
Another critical vulnerability, according to Cisco, is in the web interface of the SD-WAN vManage software, which has a CVSS score of 9.9 points. Here it is possible to reconfigure a system remotely, switch it off or access confidential information. The trigger is insufficient verification of login data.
Off to new heights with Skysql, the ultimate Mariadb cloud
In this webinar we will introduce you to Skysql, explain the architecture and the differences to other systems such as Amazon RDS. In addition, you will gain insight into the product roadmap, a live demo and learn how to get Skysql up and running in just a few minutes.