Vulnerabilities have cropped up in two versions of Cisco's Prime network management software. Three of them affect Cisco Prime Data Center Network Manager (DCNM) andanother impacts the web framework of Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance.
The vulnerabilities in DCNM could allow an unauthenticated, remote attacker to disclose file components, and access text files on an affected device. Specifically, the vulnerabilities involve information disclosure, remote command execution and XML external entity injection.
In the information disclosure vulnerability, the DCNM-SAN Server component of Cisco Prime DCNM could allow an unauthenticated, remote attacker to disclose arbitrary file contents on an affected system. The remote command execution glitch also affects the DCNM-SAN Server component and could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system that hosts the Prime DCNM application.
The external entity injection vulnerability could allow an unauthenticated, remote attacker to access arbitrary text files on the underlying operating system with the privilege of root using an XML external entity injection attack. When processing incoming requests, XML external entity references and injected tags can result in disclosure of information, the advisory states.
The vulnerabilities affect all versions of Cisco Prime DCNM prior to 6.2(1). Cisco says it has released free software updates that address these vulnerabilities - included in Release 6.2(1) —but currently there are no workarounds that mitigate them. Cisco also says it is not aware of any public announcements or malicious use of the vulnerabilities.
The remote command execution information disclosure vulnerabilities were reported to Cisco by TippingPoint's Zero Day Initiative. The XML external entity injection vulnerability was reported to Cisco by Ben Williams with NCC Group.
Williams also found the vulnerability in the web framework of Cisco Prime Central for HCS Assurance. Cisco Prime Central for HCS Assurance is designed to help service providers deliver unified communications-as-a-service, and allows HTTPS connections from external web clients on TCP ports 8443 and 9090.
This vulnerability is due to improper user authentication and inadequate session management, and could allow an unauthenticated, remote attacker to access sensitive information on the system. The attacker could exploit it by submitting a crafted HTTP request to the web user interface and reveal sensitive information, including user credentials.
Affected products include Cisco Prime Central for HCS Assurance version 1.0.1 and 1.1. Cisco says it has released a free software update that addresses this vulnerability and has fixed it in Cisco Prime Central for HCS Assurance version 9.1.1. There are currently no workarounds that mitigate it.
Cisco says it is not aware of any public announcements or malicious use of the vulnerability.
Sign up for CIO Asia eNewsletters.