Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0246 Cisco Data Center Network Manager multiple vulnerabilities 21 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Data Center Network Manager Publisher: Cisco Systems Operating System: Cisco Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Modify Arbitrary Files -- Existing Account Delete Arbitrary Files -- Existing Account Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-1286 CVE-2021-1283 CVE-2021-1277 CVE-2021-1276 CVE-2021-1272 CVE-2021-1270 CVE-2021-1269 CVE-2021-1255 CVE-2021-1253 CVE-2021-1250 CVE-2021-1249 CVE-2021-1248 CVE-2021-1247 CVE-2021-1135 CVE-2021-1133 CVE-2020-1276 Reference: ASB-2020.0107 ESB-2020.3874 ESB-2020.3402 ESB-2020.3063 ESB-2020.2532 ESB-2020.2009.3 ESB-2020.1899 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-authbypass-OHBPbxu https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-cert-check-BdZZV9T3 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-info-disc-QCSJB6YG https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-api-path-TpTApx2p https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-sql-inj-OAQOObP https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-ssrf-F2vX6q5p https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-xss-vulns-GuUJ39gh Comment: This bulletin contains seven (7) Cisco Systems security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Data Center Network Manager Authorization Bypass Vulnerabilities Priority: Medium Advisory ID: cisco-sa-dcnm-authbypass-OHBPbxu First Published: 2021 January 20 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvu57868 CSCvv87627 CVE Names: CVE-2021-1269 CVE-2021-1270 Summary o Multiple vulnerabilities in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-authbypass-OHBPbxu Affected Products o Vulnerable Products At the time of publication, these vulnerabilities affected Cisco DCNM releases earlier than Release 11.5(1). See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Details o The vulnerabilities are not dependent on one another; exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability. Details about the vulnerabilities are as follows: CVE-2021-1270: Cisco DCNM Authorization Bypass Vulnerability A vulnerability in the web-based management interface of Cisco DCNM could allow an authenticated, remote attacker to modify the configuration without proper authorization. This vulnerability is due to a failure to limit access to resources that are intended for users with Administrator privileges. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow a low-privileged attacker to edit the configuration. To exploit this vulnerability, an attacker would need valid nonadministrative credentials. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvv87627 CVE-ID: CVE-2021-1270 Security Impact Rating (SIR): Medium CVSS Base Score: 7.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L CVE-2021-1269: Cisco DCNM Authorization Bypass Vulnerability A vulnerability in the web-based management interface of Cisco DCNM could allow an authenticated, remote attacker to bypass authorization on an affected device and access sensitive information that is related to the device. This vulnerability is due to a failure to limit access to resources that are intended for users with Administrator privileges. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow a low-privileged attacker to list, view, create, edit, and delete specific system configurations in the same manner as a user with Administrator privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvu57868 CVE-ID: CVE-2021-1269 Security Impact Rating (SIR): Medium CVSS Base Score: 6.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco DCNM releases 11.5(1) and later contained the fix for these vulnerabilities. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o These vulnerabilities were found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-authbypass-OHBPbxu Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2021-JAN-20 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco Data Center Network Manager Certificate Validation Vulnerabilities Priority: High Advisory ID: cisco-sa-dcnm-cert-check-BdZZV9T3 First Published: 2021 January 20 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvv35346 CSCvv35348 CSCvv35354 CSCvv82441 CVE Names: CVE-2021-1276 CVE-2021-1277 CWEs: CWE-295 Summary o Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) could allow an attacker to spoof a trusted host or construct a man-in-the-middle attack to extract sensitive information or alter certain API requests. These vulnerabilities are due to insufficient certificate validation when establishing HTTPS requests with the affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-cert-check-BdZZV9T3 Affected Products o Vulnerable Products These vulnerabilities affect Cisco Data Center Network Manager releases earlier than 11.5(1). Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Details o The vulnerabilities are not dependent on one another; exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability. Details about the vulnerabilities are as follows: CVE-2020-1276: Cisco Data Center Network Manager Certificate Validation Vulnerability A vulnerability in the Device Manager application of Cisco DCNM could allow an unauthenticated, remote attacker to modify a specific API request that is used to verify a user's authentication token. This vulnerability is due to a lack of validation of the SSL certificate used when establishing a connection to the Device Manager application. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to alter a specific API request. Bug ID(s): CSCvv82441 CVE ID: CVE-2021-1276 Security Impact Rating (SIR): High CVSS Base Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2021-1277: Cisco Data Center Network Manager Certificate Validation Vulnerability A vulnerability in Cisco DCNM could allow an unauthenticated, remote attacker to spoof a trusted host or construct a man-in-the-middle attack to extract sensitive information from the affected device. This vulnerability is due to a lack of certificate validation. An attacker could exploit this vulnerability by using a crafted X.509 certificate and could then intercept communications. A successful exploit could allow the attacker to view and alter potentially sensitive information that DCNM maintains about clients that are connected to the network. Bug ID(s): CSCvv35348 , CSCvv35346 , CSCvv35354 CVE ID: CVE-2021-1277 Security Impact Rating (SIR): Medium CVSS Base Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed these vulnerabilities in Cisco DCNM releases 11.5(1) and later. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o These vulnerabilities were found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-cert-check-BdZZV9T3 Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2021-JAN-20 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco Data Center Network Manager Information Disclosure Vulnerability Priority: Medium Advisory ID: cisco-sa-dcnm-info-disc-QCSJB6YG First Published: 2021 January 20 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvv07941 CSCvv07942 CSCvv07945 CSCvv07947 CVE Names: CVE-2021-1283 CWEs: CWE-789 Summary o A vulnerability in the logging subsystem of Cisco Data Center Network Manager (DCNM) could allow an authenticated, local attacker to view sensitive information in a system log file that should be restricted. The vulnerability exists because sensitive information is not properly masked before it is written to system log files. An attacker could exploit this vulnerability by authenticating to an affected device and inspecting a specific system log file. A successful exploit could allow the attacker to view sensitive information in the system log file. To exploit this vulnerability, the attacker would need to have valid user credentials. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-info-disc-QCSJB6YG Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco DCNM releases earlier than Release 11.5(1). See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco DCNM releases 11.5(1) and later contained the fix for this vulnerability. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-info-disc-QCSJB6YG Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2021-JAN-20 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco Data Center Network Manager REST API Vulnerabilities Priority: Medium Advisory ID: cisco-sa-dcnm-api-path-TpTApx2p First Published: 2021 January 20 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvt82606 CSCvu28383 CSCvu28385 CVE Names: CVE-2021-1133 CVE-2021-1135 CVE-2021-1255 CWEs: CWE-184 CWE-20 CWE-807 CVSS Score: 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o Multiple vulnerabilities in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-api-path-TpTApx2p Affected Products o Vulnerable Products At the time of publication, these vulnerabilities affected Cisco DCNM releases earlier than Release 11.4(1). See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Details o The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerabilities. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities. Details about the vulnerabilities are as follows. CVE-2021-1133: Cisco Data Center Network Manager Path Traversal Vulnerability A vulnerability in the REST API of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker with a low-privilege account to conduct a path traversal attack on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the API. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to delete arbitrary files on the file system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvt82606 CVE-ID: CVE-2021-1133 Security Impact Rating (SIR): Medium CVSS Base Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-1255: Cisco Data Center Network Manager Path Traversal Vulnerability A vulnerability in a certain REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to perform a path traversal attack on an affected device. The vulnerability is due to insufficient path restriction enforcement. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to overwrite or list arbitrary files on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvu28383 CVE-ID: CVE-2021-1255 Security Impact Rating (SIR): Medium CVSS Base Score: 4.6 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVE-2021-1135: Cisco DCNM Software Configuration Bypass Vulnerability A vulnerability in a certain REST API endpoint of Cisco Data Center Network Manager could allow an authenticated, remote attacker to bypass security controls and modify default server configuration settings on the affected device. The vulnerability is due to an incorrect comparison in a denylist implementation. An attacker could exploit this vulnerability by sending specially crafted network traffic to the affected software. A successful exploit could allow the attacker to modify server configuration settings on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvu28385 CVE-ID: CVE-2021-1135 Security Impact Rating (SIR): Medium CVSS Base Score: 4.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco DCNM releases 11.4(1) and later contained the fix for these vulnerabilities. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o These vulnerabilities were found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-api-path-TpTApx2p Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2021-JAN-20 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco Data Center Network Manager SQL Injection Vulnerabilities Priority: High Advisory ID: cisco-sa-dcnm-sql-inj-OAQOObP First Published: 2021 January 20 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvv82432 CSCvv82433 CVE Names: CVE-2021-1247 CVE-2021-1248 CWEs: CWE-89 Summary o Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-sql-inj-OAQOObP Affected Products o Vulnerable Products These vulnerabilities affect Cisco DCNM releases earlier than Release 11.5 (1). Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Details o The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability. Details about the vulnerabilities are as follows. CVE-2021-1247: Cisco DCNM SQL Injection Vulnerability A vulnerability in a REST API endpoint of Cisco DCNM could allow an authenticated, remote attacker with lower-level privileges to execute arbitrary SQL commands on an affected device. This vulnerability is due to insufficient validation of user-supplied input to the API. An attacker with lower-level privileges, such as network-operator , could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, or execute commands within the underlying operating system that may affect the availability of the device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvv82432 CVE ID: CVE-2021-1247 Security Impact Rating (SIR): High CVSS Base Score: 8.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-1248: Cisco DCNM SQL Injection Vulnerability A vulnerability in a REST API endpoint of Cisco DCNM could allow an authenticated, remote attacker with administrative privileges to execute arbitrary SQL commands on an affected device. This vulnerability is due to insufficient validation of user-supplied input to the API. An attacker with administrative privileges could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, or execute commands within the underlying operating system that may affect the availability of the device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvv82433 CVE ID: CVE-2021-1248 Security Impact Rating (SIR): High CVSS Base Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed these vulnerabilities in Cisco DCNM releases 11.5(1) and later. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o These vulnerabilities were found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-sql-inj-OAQOObP Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2021-JAN-20 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco Data Center Network Manager Server-Side Request Forgery Vulnerability Priority: High Advisory ID: cisco-sa-dcnm-ssrf-F2vX6q5p First Published: 2021 January 20 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvv82444 CVE Names: CVE-2021-1272 CWEs: CWE-918 Summary o A vulnerability in the session validation feature of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery (SSRF) attack on a targeted system. This vulnerability is due to insufficient validation of parameters in a specific HTTP request by an attacker. An attacker could exploit this vulnerability by sending a crafted HTTP request to an authenticated user of the DCNM web application. A successful exploit could allow the attacker to bypass access controls and gain unauthorized access to the Device Manager application, which provides access to network devices managed by the system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-ssrf-F2vX6q5p Affected Products o Vulnerable Products This vulnerability affects Cisco DCNM Software if it is running a release earlier than 11.5(1). This vulnerability affects DCNM-Storage Area Network (SAN) deployments , including the following: Open Virtual Appliance (OVA) deployments Windows DCNM-SAN installations Linux DCNM-SAN installations Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed this vulnerability in Cisco DCNM software releases 11.5(1) and later. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-ssrf-F2vX6q5p Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2021-JAN-20 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco Data Center Network Manager Vulnerabilities Priority: Medium Advisory ID: cisco-sa-dcnm-xss-vulns-GuUJ39gh First Published: 2021 January 20 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvu50101 CSCvu68933 CSCvv00638 CSCvv00642 CSCvv00643 CSCvv00644 CSCvv00645 CSCvv00646 CSCvv00654 CSCvv07930 CSCvv87589 CSCvv87602 CSCvv87608 CSCvv87614 CVE Names: CVE-2021-1249 CVE-2021-1250 CVE-2021-1253 CVE-2021-1286 CWEs: CWE-20 CWE-79 Summary o Multiple vulnerabilities in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow a remote attacker with network-operator privileges to conduct a cross-site scripting (XSS) attack or a reflected file download (RFD) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-xss-vulns-GuUJ39gh Affected Products o Vulnerable Products At the time of publication, these vulnerabilities affected Cisco DCNM releases earlier than Release 11.5(1). See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Details o The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability. Details about the vulnerabilities are as follows. CVE-2021-1249: Cisco DCNM Cross-Site Scripting Vulnerabilities Multiple vulnerabilities in the web-based management interface of Cisco DCNM could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface. These vulnerabilities are due to insufficient input validation by the web-based management interface. An attacker could exploit these vulnerabilities by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. Bug ID(s): CSCvv00645 , CSCvu50101 , CSCvu49711 , CSCvu68933 CVE ID: CVE-2021-1249 Security Impact Rating (SIR): Medium CVSS Base Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L CVE-2021-1286: Cisco DCNM Reflected File Download Vulnerabilities Multiple vulnerabilities in the web-based management interface of Cisco DCNM could allow an unauthenticated, remote attacker to conduct an RFD attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading an authenticated user of the interface to click a link that submits malicious input to the interface. A successful exploit could allow the attacker to execute arbitrary script code on the affected device. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. Bug ID(s): CSCvv87608 , CSCvv87589 , CSCvv87602 CVE ID: CVE-2021-1286 Security Impact Rating (SIR): Medium CVSS Base Score: 6.1 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N CVE-2021-1250: Cisco DCNM Cross-Site Scripting Vulnerabilities Multiple vulnerabilities in the web-based management interface of Cisco DCNM could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface. These vulnerabilities are due to insufficient input validation by the web-based management interface. An attacker could exploit these vulnerabilities by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. Bug ID(s): CSCvv00642 , CSCvv87614 , CSCvv00638 , CSCvv00644 , CSCvv00654 , CSCvv00643 CVE ID: CVE-2021-1250 Security Impact Rating (SIR): Medium CVSS Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L CVE-2021-1253: Cisco DCNM Persistent Cross-Site Scripting Vulnerabilities Multiple vulnerabilities in the web-based management interface of Cisco DCNM could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface. These vulnerabilities are due to insufficient input validation by the web-based management interface. An attacker could exploit these vulnerabilities by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. Bug ID(s): CSCvv07930 , CSCvv00646 CVE ID: CVE-2021-1253 Security Impact Rating (SIR): Medium CVSS Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco Data Center Network Manager releases 11.5 (1) and later contained the fix for these vulnerabilities. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o These vulnerabilities were found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-xss-vulns-GuUJ39gh Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2021-JAN-20 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYAkX2uNLKJtyKPYoAQhBPw//Sf6Ygf/j2PMfs3S+wzBCEt2z47IGbgsK t5zkciYRd56y+0y+SGs3oniZTFbd19gLN4WqzYcavLcJFGzBHvPnq78G+tLnts5J OlM4DCilgcyaVPPA3mz6doKL8ttNeVnXWVVkMSxQnJIKCuPci6Sys/fJoGBbX0NJ ROeeqQa4CZRgeH8ecyy3tvpPapRbXC+Xuye058KQOl0Ei06zxuO9LwAVB2kYLsbw 3O2x61xOInuwcMNasPq/EkyFKvL2zQnWfUWG1qTCGLOWqtlh6bM6zvAsDIpYm6Sw QJ+/u7Y7Qtk5mtGihIWxNEsW9KUIqHcR91Fu3n0nizTobtw25yeCeW2otdAEZcyH bg79/wmUpnYnKX5pmJlD5i2TE8GTevVTh2dfCyd8eJH5fHDDp5kFFA0Ski+kBEoB VuTowQdeeWu58cyEdInZJ/gDoVt6wEnsOCVpE/Gjc3QupOIV/55cHU0RQyUY1g8Z uowsqwAanE8C1E9b8sH81v7pj2Wrz23PrypasCHBbDND9Jatqa26GstMsyZ7fthf qz5eNgz9qvPeRQxVDEyFjl4yTAQQ8ALYjv8WIAEvD7oyi3x/Yt+cae/fjUeigfS9 1m0vmH2v7kantc29yctj9VCHFDquAvkmSznnB31W4lujIDty2/lydPmYb/AXUOJc dXhNryjzQ54= =QwFo -----END PGP SIGNATURE-----