Cisco Subnet An independent Cisco community View more

Prime time for Cisco vulnerabilities

Data center and hosted unified communications managers have holes

Vulnerabilities have cropped up in two versions of Cisco's Prime network management software. Three of them affect Cisco Prime Data Center Network Manager (DCNM) and another impacts the web framework of Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance.

The vulnerabilities in DCNM could allow an unauthenticated, remote attacker to disclose file components, and access text files on an affected device. Specifically, the vulnerabilities involve information disclosure, remote command execution and XML external entity injection.

[BUILDING BLOCK: Cisco bolsters its data center strategy with WHIPTAIL buy]

In the information disclosure vulnerability, the DCNM-SAN Server component of Cisco Prime DCNM could allow an unauthenticated, remote attacker to disclose arbitrary file contents on an affected system. The remote command execution glitch also affects the DCNM-SAN Server component and could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system that hosts the Prime DCNM application.

The external entity injection vulnerability could allow an unauthenticated, remote attacker to access arbitrary text files on the underlying operating system with the privilege of root using an XML external entity injection attack.  When processing incoming requests, XML external entity references and injected tags can result in disclosure of information, the advisory states.

The vulnerabilities affect all versions of Cisco Prime DCNM prior to 6.2(1). Cisco says it has released free software updates that address these vulnerabilities - included in Release 6.2(1) -- but currently there are no workarounds that mitigate them. Cisco also says it is not aware of any public announcements or malicious use of the vulnerabilities.

The remote command execution information disclosure vulnerabilities were reported to Cisco by TippingPoint's Zero Day Initiative. The XML external entity injection vulnerability was reported to Cisco by Ben Williams with NCC Group.

Williams also found the vulnerability in the web framework of Cisco Prime Central for HCS Assurance. Cisco Prime Central for HCS Assurance is designed to help  service providers deliver unified communications-as-a-service, and allows HTTPS connections from external web clients on TCP ports 8443 and 9090.

This vulnerability is due to improper user authentication and inadequate session management, and could allow an unauthenticated, remote attacker to access sensitive information on the system. The  attacker could exploit it by submitting a crafted HTTP request to the web user interface and reveal sensitive information, including user credentials.

Affected products include Cisco Prime Central for HCS Assurance version 1.0.1 and 1.1. Cisco says it has released a free software update that addresses this vulnerability and has fixed it in Cisco Prime Central for HCS Assurance version 9.1.1. There are currently no workarounds that mitigate it.

Cisco says it is not aware of any public announcements or malicious use of the vulnerability.

More from Cisco Subnet:

Some final notes on Cisco Live

Chambers: Cisco waited too long to address SDNs

Cisco, Insieme tout 'penalty-free' fabric architecture

Cisco forms Internet of Things group

Cisco delivers 'monster' Catalyst switch in major product refresh

First look: Catalyst 6800 switch and friends

Insieme will be in the house at Cisco Live

Cisco denies spying

Cisco looks to standardize context-aware security

CCIE's raise Voice over Cisco cert move

Follow all Cisco Subnet bloggers on Twitter.Jim Duffy on Twitter

Follow

 
To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.