Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0243.2 Cisco DNA Center multiple vulnerabilities 27 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco DNA Center Publisher: Cisco Systems Operating System: Cisco Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-1303 CVE-2021-1265 CVE-2021-1264 CVE-2021-1257 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-cmdinj-erumsWh9 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-csrf-dC83cMcV https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnacid-OfeeRjcn https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-privesc-6qjA3hVh Comment: This bulletin contains four (4) Cisco Systems security advisories. Revision History: January 27 2021: Vendor updated advisories: cisco-sa-dnac-csrf-dC83cMcV,cisco-sa-dnacid-OfeeRjcn January 21 2021: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco DNA Center Command Runner Command Injection Vulnerability Priority: Critical Advisory ID: cisco-sa-dnac-cmdinj-erumsWh9 First Published: 2021 January 20 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvq39748 CVE Names: CVE-2021-1264 CWEs: CWE-78 Summary o A vulnerability in the Command Runner tool of Cisco DNA Center could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient input validation by the Command Runner tool. An attacker could exploit this vulnerability by providing crafted input during command execution or via a crafted command runner API call. A successful exploit could allow the attacker to execute arbitrary CLI commands on devices managed by Cisco DNA Center. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-cmdinj-erumsWh9 Affected Products o Vulnerable Products This vulnerability affects Cisco DNA Center Software releases earlier than 1.3.1.0. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Details o The Command Runner application maintains a list of approved commands that can be executed on a managed device. An attacker could exploit this vulnerability to enter additional commands on the managed device CLI or configuration CLI, bypassing the approved command list. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases This vulnerability is fixed in Cisco DNA Center Software releases 1.3.1.0 and later. Cisco DNA Center is a dedicated physical appliance that is purchased from Cisco with the DNA Center ISO image preinstalled. System updates are available for installation from the Cisco cloud and are not available for download from the Software Center on Cisco.com. To upgrade to a fixed release of Cisco DNA Center Software, administrators can use the System Updates feature of the software. For more information, refer to the Cisco DNA Center Upgrade Guide for the release to be installed. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-cmdinj-erumsWh9 Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2021-JAN-20 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco DNA Center Cross-Site Request Forgery Vulnerability Priority: High Advisory ID: cisco-sa-dnac-csrf-dC83cMcV First Published: 2021 January 20 16:00 GMT Last Updated: 2021 January 25 14:01 GMT Version 1.1: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvr12997 CVE Names: CVE-2021-1257 CWEs: CWE-352 CVSS Score: 7.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of Cisco DNA Center Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to manipulate an authenticated user into executing malicious actions without their awareness or consent. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a web-based management user to follow a specially crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the device with the privileges of the authenticated user. These actions include modifying the device configuration, disconnecting the user's session, and executing Command Runner commands. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-csrf-dC83cMcV Affected Products o Vulnerable Products This vulnerability affects Cisco DNA Center Software releases earlier than 2.1.1.0. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases This vulnerability is fixed in Cisco DNA Center Software releases *2.1.1.0,*2.1.2.0, *2.1.2.3, and 2.1.2.4 and later. *Limited Availability Releases Cisco DNA Center is a dedicated physical appliance that is purchased from Cisco with the DNA Center ISO image preinstalled. System updates are available for installation from the Cisco cloud and are not available for download from the Software Center on Cisco.com. To upgrade to a fixed release of Cisco DNA Center Software, administrators can use the System Updates feature of the software. For more information, refer to the Cisco DNA Center Upgrade Guide for the release to be installed. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Benoit Malaboeuf and Dylan Garnaud from Orange for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-csrf-dC83cMcV Revision History o +---------+---------------+------------------------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+---------------+------------------------+--------+-------------+ | 1.1 | Added release | Vulnerable Products | Final | 2021-JAN-25 | | | 2.1.1.0. | and Fixed Releases | | | +---------+---------------+------------------------+--------+-------------+ | | Initial | | | | | 1.0 | public | - | Final | 2021-JAN-20 | | | release. | | | | +---------+---------------+------------------------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco DNA Center Information Disclosure Vulnerability Priority: High Advisory ID: cisco-sa-dnacid-OfeeRjcn First Published: 2021 January 20 16:00 GMT Last Updated: 2021 January 26 14:34 GMT Version 1.1: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvr85371 CVE Names: CVE-2021-1265 CWEs: CWE-312 CVSS Score: 7.7 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the configuration archive functionality of Cisco DNA Center could allow any privilege-level authenticated, remote attacker to obtain the full unmasked running configuration of managed devices. The vulnerability is due to the configuration archives files being stored in clear text, which can be retrieved by various API calls. An attacker could exploit this vulnerability by authenticating to the device and executing a series of API calls. A successful exploit could allow the attacker to retrieve the full unmasked running configurations of managed devices. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnacid-OfeeRjcn Affected Products o Vulnerable Products This vulnerability affects Cisco DNA Center Software releases earlier than 2.1.1.0. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases This vulnerability is fixed in Cisco DNA Center Software releases *2.1.1.0, *2.1.2.0, *2.1.2.3 and 2.1.2.4 and later. *Limited Availability Releases Cisco DNA Center is a dedicated physical appliance that is purchased from Cisco with the DNA Center ISO image preinstalled. System updates are available for installation from the Cisco cloud and are not available for download from the Software Center on Cisco.com. To upgrade to a fixed release of Cisco DNA Center Software, administrators can use the System Updates feature of the software. For more information, refer to the Cisco DNA Center Upgrade Guide for the release to be installed. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found by Prabudas Varadarajan of Cisco during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnacid-OfeeRjcn Revision History o +---------+------------------------+---------------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+------------------------+---------------+--------+-------------+ | | Corrected first fixed | Vulnerable | | | | 1.1 | version to be 2.1.1.0 | Products & | Final | 2021-JAN-20 | | | rather than 2.1.2.0 | Fixed | | | | | | Releases | | | +---------+------------------------+---------------+--------+-------------+ | 1.0 | Initial public | - | Final | 2021-JAN-20 | | | release. | | | | +---------+------------------------+---------------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco DNA Center Privilege Escalation Vulnerability Priority: Medium Advisory ID: cisco-sa-dnac-privesc-6qjA3hVh First Published: 2021 January 20 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvq32337 CVE Names: CVE-2021-1303 CWEs: CWE-266 CVSS Score: 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the user management roles of Cisco DNA Center could allow an authenticated, remote attacker to execute unauthorized commands on an affected device. The vulnerability is due to improper enforcement of actions for assigned user roles. An attacker could exploit this vulnerability by authenticating as a user with an Observer role and executing commands on the affected device. A successful exploit could allow a user with the Observer role to execute commands to view diagnostic information of the devices that Cisco DNA Center manages. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-privesc-6qjA3hVh Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco DNA Center Software releases earlier than Release 2.1.2.0. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. At the time of publication, Cisco DNA Center Software releases *2.1.2.0, *2.1.2.3, and 2.1.2.4 and later contained the fix for this vulnerability. *Limited Availability Releases See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-privesc-6qjA3hVh Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2021-JAN-20 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYBD4rONLKJtyKPYoAQjJTBAAn3bzbWxYY1m+oVA9FIliZuUXz/t48qqJ GkrYh4hyi/V8FFJUlLi2oKT6pSi5fTKtowCSNAmiOJ1eH3gYcy6l95tDdgaORuix pXCHwn2Ohv+T2YyW+mfuHd8hRBuonSkL0c1zKWxDBEu9Dqo/9sdnGPYabq4mtBBi T7WrUEb8AHNOAfrKmx2dgAYjpKYqoRzFW/NqPA4QrMgEZr6VypKH65ljLNTzcqmY Egoa0W2wxE71Yh9PY14uhSu19ENiYfLR+LxjeKWd71RL5M5EBwD6ymRCAlbRIlUC QQra9MQ3LXfVD/43pgDrFYrSicSHDe5wW5TabdlY7GLk2HVPnZBotnpurcFmnqnh Uf4ijRH+W1vUPDyg/p/NlGrdxp7mTnIms++1nTJ2LnGeW5EWZeR48wianDI+24gu fBkgQzDikzDO8AZ9CPgHLa5ydSUkGo6fbs2dhR/DKCjMupr5pD2/lNHa618XFFNw hTFGVaeyRgkwVpXMsE1JL/4c5cXlMyGI9kzfOxBXsHlRZB466WpSOuaIwR0ClpHH OWXyC4LGyUvazlDYQL1WiqSTy6sbYZMWIWuZ/AhCq0Mces1kskoqjh1n0P3uWJHY gZ5nYbUuzU6YJYyZt0vw43vSFlx29DGuwVRXtbSDEkxMyIh7KhAEylVKBoN/WP36 YAGwqh66vP4= =IZU4 -----END PGP SIGNATURE-----