Cisco Urges Patching Critical Nexus Switch Vulnerabilities

Remote attackers can exploit three flaws in older versions of the Cisco Data Center Network Manager that controls NX-OS-based data center infrastructure to bypass proper authentication. No malicious attacks have been seen yet.

ARTICLE TITLE HERE

Cisco Systems kicked off the new year by urging customers to patch the network operating software used to manage its Nexus portfolio of data center switches.

The networking giant published a security advisory Thursday revealing three critical vulnerabilities in the Cisco Data Center Network Manager platform which controls its NX-OS-based infrastructure.

Remote attackers could exploit those flaws to bypass the authentication mechanism in software implementing data center network fabrics and networked storage. Because there are no workarounds, Cisco told customers they should install newly released patches or update to the latest releases of the platform.

id
unit-1659132512259
type
Sponsored post

[Related: Cisco To Scoop Up Low-Latency Networking Specialist Exablaze]

"Transparency at Cisco is a matter of top priority. When security issues arise, we handle them openly and swiftly, so our customers understand the issue and how to address it," a Cisco spokesperson told CRN.

Affected products are Cisco DCNM releases older than 11.3(1) for Microsoft Windows, Linux, and virtual appliance platforms. Cisco said it is not aware of any malicious actions that have exploited those vulnerabilities in the field.

In its advisory, Cisco thanked Steven Seeley, known online as mr_me, an external security researcher with Source Incite who discovered the vulnerabilities while working with Trend Micro's Zero Day Initiative.

"Upon notification, we immediately followed our well-established process to address and disclose them," the Cisco spokesperson said.

Seeley discovered the first critical vulnerability in the REST API endpoint of Cisco DCNM. He found another in the SOAP API endpoint of DCNM, and the third in a web-based management interface of that same product.

"The vulnerabilities are not dependent on one another; exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities," Cisco said in its security advisory.

For two of those vulnerabilities, the potential to bypass proper authentication results from use of static encryption keys shared between installations. Static credentials create the third vulnerability.