Cisco has issued six security advisories dealing with a stack of vulnerabilities in its Data Center Network Manager product, after they were shared by security researcher Steven Seeley.
The flaws exploit problems like "static" (hardcoded) encryption keys in the widely used network infrastructure product. Three underlying flaws could allow a remote attacker to gain administrator rights and take control of an affected device. Seeley lists 120 examples of the flaws on his Source Incite blog, which have been shared through Trend Micro's Zero Day Initiative bug bounty program, giving Cisco a chance to get fixes issued.
Patching is urgent, using software updates from Cisco, as Seeley has told CBR that the dangerous flaws are simple to exploit. To prove it, he will be releasing exploits for the flaws, which he found during an extensive audit, and shared responsibly through the bug bounty program. “It took a month of auditing; some proper source code review and run time debugging," he told CBR. “But exploitation is trivial.”
The flaws are labeled differently in the Cisco advisories and on the Zero Day Initiative. Three vulnerabilities addressed by a critical Cisco update have a score of 9.8 on the critical vulnerability scoring system (CVSS) - which is concerning as the CVSS goes up to 10.
Two of them, which Cisco designates CVE-2019-15975 and CVE-2019-15976 are caused by DCNM sharing a static encryption key between installations in the REST API and SOAP API endpoints respectively. The third, CVE-2019-15977, is caused by the use of static credentials in the web-based management interface.
There are seven high-level vulnerabilities, two of which are caused by SQL injection flaws, three by path traversal bugs, and two by command injection conditions. That leaves two medium-level bugs, based on an XML external entity read access vulnerability and a JBoss EAP unauthorized access vulnerability.
Why did Steven Seeley, also known as @mr_me, embark on the major security audit of DCNM? It could have something to do with a Cisco's Talos security team passing up an opportunity to hire Seeley earlier in the year, after a lengthy interview process.
After a claimed "eight interviews," Talos said they didn't have a job for him, after which Seeley went ahead and found the vulnerabilities, tweeting the achievement. On Twitter, he later clarified these were not all formal face-to-face interviews: "Tbf they were more like casual chats over Skype and the technical team were very friendly. But I can’t stand time wasters."