Cisco DNA Center Critical Flaw Opens Access to Internal Services

Cisco is urging customers to update after discovering a critical vulnerability in its Digital Network Architecture (DNA) Center, which could allow an unauthenticated attacker to access critical internal services.

Overall, Cisco issued fixes for 25 vulnerabilities across its various products: Two critical, seven high, and 16 medium in severity. The most severe of these (CVE-2019-1848) stems from an insufficient restriction on access to ports that are necessary for the system operation in Cisco DNA Center, which is its network management and command software that allows enterprises to monitor and troubleshoot their networks. The vulnerability has a severity ranking of 9.3 out of 10 on the CVSS scale.

“A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, adjacent attacker to bypass authentication and access critical internal services,” according to Cisco’s Wednesday advisory.

An attacker could exploit this vulnerability by connecting an unauthorized device to the network: A successful exploit could allow an attacker to reach internal services “that are not hardened for external access,” according to Cisco. Impacted is Cisco DNA Center software releases prior to 1.3; users are urged to update to version 1.3.

Cisco SD-WAN Flaws

Cisco also issued patches for several critical and high-severity vulnerabilities in Cisco SD-WAN, its software-defined cloud architecture that manages wide-area networking for enterprises.

The most severe of these is a critical privilege-escalation flaw (CVE-2019-1625) existing in the command line interface (CLI), which provides various commands for configuring and monitoring the software, hardware and network connectivity. The flaw stems from an insufficient enforcement of authorization in the CLI; An attacker could exploit the vulnerability by authenticating to a targeted device and executing commands, eventually leading to elevated privileges.

“A vulnerability in the CLI of Cisco SD-WAN Solution could allow an authenticated, local attacker to elevate lower-level privileges to the root user on an affected device,” Cisco said in its advisory. The elected privileges could allow attackers to make configuration changes to the system as the root user.

This vulnerability affects various Cisco products running a SD-WAN release prior to 18.3.6, 18.4.1, and 19.1.0 – including various vEdge routers, vBond Orchestrator Software and vManage Network Management Software.

Cisco SD-WAN also has two high-severity flaws, including a vulnerability (CVE-2019-1624) in its web-based user interface, vManage. The vulnerability could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

“The vulnerability is due to insufficient input validation,” said Cisco in its advisory. “An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the vManage Web UI. A successful exploit could allow the attacker to execute commands with root privileges.”

The other high-severity flaw (CVE-2019-1626) also exists in the SD-WAN vManage web-based user interface and could allow an authenticated, remote attacker to gain elevated privileges on an affected vManage device.

The vulnerability stems from Cisco’s failure to properly authorize certain user actions in the device configuration. An attacker could exploit this vulnerability by logging in to the vManage Web user interface and sending crafted HTTP requests to vManage, said Cisco.

“A successful exploit could allow attackers to gain elevated privileges and make changes to the configuration that they would not normally be authorized to make,” according to its advisory.

Both high-severity vulnerabilities affect Cisco vManage Network Management Software running a release of the Cisco SD-WAN Solution prior to Release 18.4; users are urged to update to version 18.4.

Other Flaws

In addition to two critical vulnerabilities, Cisco released fixes for seven high-severity glitches across various products including several denial-of-service flaws.

The worst of these include a vulnerability (CVE-2019-1874) in the web-based management interface of Cisco Prime Service Catalog Software, a network management software suite consisting of different software applications. The flaw could allow an unauthenticated, remote attacker to conduct a cross-site request forgery attack on impacted systems.

Another high-severity denial-of-service flaw exists in the management interface of Cisco RV110W, RV130W and RV215W routers. The flaw (CVE-2019-1843) is due to an improper validation of user-supplied data in the web-based management interface, could allow an unauthenticated, remote attacker to create denial-of-service on impacted devices.

Cisco also warned of a denial-of-service vulnerability in its StarOS operating system, which runs on virtual platforms. The flaw (CVE-2019-1869), which is due to a logic error that could occur under specific traffic conditions, could allow an unauthenticated, remote attacker to cause an affected device to stop processing traffic, resulting in a denial-of-service condition.

Cisco said it is not aware of any exploits of the vulnerabilities in the wild.