Cisco has released fixes for three severe bugs in its Digital Network Architecture (DNA) Centre software that leave the door open to remote attackers.
The three bugs all have a CVSS 3.0 Score of 10 out of a possible 10, indicating they’re the most severe vulnerabilities possible and need to be patched now.
One of the three, logged as CVE-2018-0222, is caused by DNA Center having default and static administrative account credentials, which an attacker could use to log into an affected system and execute commands with root privileges.
Cisco announced DNA Centre in the summer of 2017, offering customers network automation software and a centralized management interface for its “intent-based networking” system. Admins can use DNA Center to set policies for network segmentation, configure network infrastructure, and monitor network glitches. It ships as part of a dedicated appliance.
The 1.1 release of DNA Center arrived in January 2018, so it and all subsequent releases until Release 1.1.3 are vulnerable.
Cisco discovered the bug during internal testing and the company says isn’t aware of any public reports or attacks that exploit the vulnerability.
The second DNA Center bug, CVE-2018-0271, is an authentication bypass in its API gateway. The software doesn’t normalize URLs prior to servicing request. It would also allow an “unauthenticated, remote attacker to pass authentication and access critical services”, resulting in elevated privileges in DNA Center.
This vulnerability affects Cisco DNA Center Software Releases prior to 1.1.2. Cisco isn’t aware of any public exploits for this flaw which was found during internal testing.
A successful attack on the third issue affecting DNA Center could result in a “complete compromise” of affected Kubernetes containers within DNA Center. This vulnerability affects 1.1.3 and prior but is fixed in release 1.1.4 and later.
“This vulnerability is due to an insecure default configuration of the Kubernetes container management subsystem within DNA Center. An attacker who has the ability to access the Kubernetes service port could execute commands with elevated privileges within provisioned containers. A successful exploit could result in a complete compromise of affected containers,” Cisco notes in its advisory for CVE-2018-0268.
Some customers may have unknowingly plugged the vulnerabilities revealed today which were fixed in releases Cisco made available several months ago.
DNA Center release 1.1.5 for example landed on April 6 and release 1.1.4 arrived in March. Any customer that hasn't already moved to a fixed release should probably do so soon given the severity of the now acknowledged bugs and recent attacks on switches with internet-exposed Cisco Smart Install software, which Australia recently attributed to advanced Russian hackers.
Cisco also released 13 fixes for four high severity issues and nine medium severity ones.