This is a central management panel for Cisco
Nexus-based data center structures that performs automation, configuration
control, flow policy management, and real-time status details.
There are reportedly three different vulnerabilities, each with a score of 9.8/10 in the Common Vulnerability Scoring System (CVSS); according to vulnerability testing specialists, if exploited, these flaws would allow a remote hacker to bypass authentication and perform arbitrary activities with administrator privileges on the vulnerable system.
In addition, the report mentions that this is
not an attack chain, so it is possible to abuse only one of these
vulnerabilities without exploiting the remaining two. Also, a software version
could be affected by only one or two of these failures, the set of three
vulnerabilities do not necessarily affect all versions of DCNM.
The three serious vulnerabilities discovered
are described below:
API authentication bypass vulnerability: A flaw in the Cisco DCNM REST API
endpoint would allow a remote hacker to bypass authentication; this flaw exists
due to a static encryption key shared between installations, vulnerability
testing specialists say
API bypass vulnerability: A security weakness in the Cisco DCNM SOAP API
endpoint could allow an unauthenticated remote attacker to bypass
authentication in the failed-impacted deployment
bypass vulnerability: A weakness in the Cisco DCNM web management interface
would allow a remote threat actor to skip the authentication step on the
In addition to disclosing these three serious
vulnerabilities to the public, reports were released on multiple media security
flaws related to REST and SOAP APIs. These minor errors include:
API SQL injection vulnerability: Exploiting this vulnerability would allow an
authenticated remote attacker with administrative privileges to execute
arbitrary SQL commands on an affected device
API command injection vulnerability: A security flaw in the Cisco DCNM REST API
could allow an authenticated hacker with administrator privileges in the DCNM
application to inject arbitrary commands into the underlying operating system
The International Institute of Cyber Security (IICS)
recommends that users of the affected system keep abreast of any upgrades
issued by Cisco, in addition to installing any security patches that the
company deems necessary.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.