Flaws found in Cisco's networking equipment operating system; Patch issued

News by Rene Millman

Cisco released updates to its networking equipment operating system NX-OS after security researchers found three critical authentication bypass vulnerabilities

Cisco has released updates to its networking equipment operating system NX-OS after security researchers found three critical authentication bypass vulnerabilities.

The flaws could enable an unauthenticated, remote attacker to bypass endpoint authentication and execute arbitrary actions with administrative privileges on particular devices, read a blog post by Tenable.

NX-OS is Cisco’s operating system for its Ethernet switches and MDS-series Fibre Channel storage area network switches.

Researchers said that of the 12 vulnerabilities patched by Cisco, the most severe include a trio of critical authentication bypass flaws, two of which reside in DCNM API endpoints. These three bugs received a vulnerability score of 9.8 severity.

CVE-2019-15975 and CVE-2019-15976 are authentication bypass vulnerabilities in the REST API and SOAP API endpoints for Cisco DCNM, which came up due to a static encryption key shared between installations. 

Researchers said a remote, unauthenticated attacker could gain administrative privileges through either the REST API or SOAP API by sending a specially crafted request that includes a valid session token generated using the static encryption key. 

CVE-2019-15977 is an authentication bypass vulnerability in the web-based management interface for Cisco DCNM because of the use of static credentials. An attacker could use these static credentials to extract sensitive information from the vulnerable device, enabling them to perform additional attacks.

"Utilising these authentication bypass vulnerabilities, attackers could leverage the remaining flaws patched by Cisco, which include command injection vulnerabilities (CVE-2019-15978, CVE-2019-15979), SQL injection vulnerabilities (CVE-2019-15984, CVE-2019-15985), path traversal vulnerabilities (CVE-2019-15980, CVE-15981, CVE-2019-15982) and an XML external entity vulnerability (CVE-2019-15983)," the researchers said.

In an advisory, Cisco said that the "vulnerabilities are not dependent on one another; exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities."

Additionally, Cisco patched CVE-2019-15999, a vulnerability in the DCNM’s JBoss Enterprise Application Platform (EAP) reported by Harrison Neal of PatchAdvisor. This flaw exists because the authentication settings on the EAP were incorrectly configured, researchers said.

Cisco fixed these vulnerabilities in Cisco DCNM Software releases 11.3(1) and later. Cisco added there are no workarounds to fix the problems.

Kevin Bocek, VP - security strategy and threat intelligence at Venafi, told SC Media UK that with machine-to-machine communication, security access and use of APIs is just as important as the ‘API first’ development mantra. 

"It’s why F5 Networks recently spent US$1 billion (£0.76 billion) in its recent acquisition of Shape Security. Cisco’s latest vulnerabilities demonstrate that protecting the access to APIs and the identities of the machines accessing them is a challenge. Protocols such as TLS, machine identities such as TLS certificates, and the encryption keys that make connections private and unique continues to be a challenge. Hackers know this and scan the internet and networks looking for opportunities where the same keys and machine identities provide access. It’s good to see Cisco close this gap quickly," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews