The two worst security problems involve Cisco Data Center Network Manager (DCNM) Credit: Matejmo Cisco issued three “critical” security warnings for its DNA Center users – two having a Common Vulnerability Scoring System rating of 9.8 out of 10. The two worst problems involve Cisco Data Center Network Manager (DCNM). Cisco DNA Center controls access through policies using Software-Defined Access, automatically provision through Cisco DNA Automation, virtualize devices through Cisco Network Functions Virtualization (NFV), and lower security risks through segmentation and Encrypted Traffic Analysis. In one advisory Cisco said a vulnerability in the web-based management interface of DCNM could let an attacker obtain a valid session cookie without knowing the administrative user password by sending a specially crafted HTTP request to a specific web servlet that is available on affected devices. The vulnerability is due to improper session management on affected DCNM software. The vulnerability affects DCNM software releases prior to Release 11.1(1). Cisco said it removed the affected web servlet completely in DCNM Software Release 11.1(1). Another critical warning was issued for DCNM on a vulnerability that lets an attacker create arbitrary files on the underlying DCNM filesystem by sending specially crafted data to a specific web servlet that is available on affected devices. Cisco said the vulnerability is due to incorrect permission settings in affected DCNM software. A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device. In DCNM Software Release 11.0(1) and earlier, an attacker would need to be authenticated to the DCNM web-based management interface to exploit this vulnerability, Cisco said. The third vulnerability – with a CVSS score of 9.3 – defines a vulnerability in DNA Center that could let an unauthenticated, adjacent attacker bypass authentication and access critical internal services. An attacker could exploit this vulnerability by connecting an unauthorized network device to the subnet designated for cluster services. A successful exploit could allow an attacker to reach internal services that are not hardened for external access, Cisco said. The vulnerability is due to insufficient access restriction to ports necessary for system operation, the company stated. In this case Cisco said a workaround is available for customers who cannot upgrade to a fixed release. To coordinate implementation of the workaround, contact the Cisco Technical Assistance Center (TAC). Cisco said it has released free software updates that address the vulnerabilities described in these advisories. The critical warnings this week follow another critical DNA Center notice last week. Then Cisco detailed a critical warning – with a CVSS rating of 9.3 – about vulnerability in its DNA Center software that could let an unauthenticated attacker exploit this weakness by connecting an unauthorized network device to the subnet designated for cluster services. A successful exploit could let an attacker reach internal services that are not hardened for external access, Cisco stated. The vulnerability is due to insufficient access restriction to ports necessary for system operation, and Cisco discovered the issue during internal security testing, the company stated. This vulnerability affects Cisco DNA Center Software releases prior to 1.3, and it is fixed in version 1.3 and releases after that. Cisco wrote that system updates are available for installation from the Cisco cloud and are not available for download from the Software Center on Cisco.com. To upgrade to a fixed release of Cisco DNA Center Software, administrators can use the System Updates feature of the software. Related content analysis At RSA, Cisco unveils Splunk integrations, Hypershield upgrades At RSA Conference 2024, Cisco announced plans to integrate its XDR platform and Splunk’s SIEM, bolster its Hypershield AI-native security architecture, and add to its Duo access-protection software. By Michael Cooney May 06, 2024 5 mins Network Management Software Network Security Networking how-to Download our Zero Trust network access (ZTNA) enterprise buyer’s guide From the editors of Network World, this enterprise buyer’s guide helps network and security IT staff understand what ZTNA can do for their organizations and how to choose the right solution. By Josh Fruhlinger and Steve Zurier May 06, 2024 1 min Network Security Enterprise Buyer’s Guides news Network jobs watch: Hiring, skills and certification trends What IT leaders need to know about expanding responsibilities, new titles and hot skills for network professionals and I&O teams. By Denise Dubie May 06, 2024 6 mins Careers Data Center Networking feature IBM’s bets on AI and hybrid cloud pay off Three key differentiators of IBM’s AI and cloud offerings are cross-platform automation, integration with multiple clouds, and tie-ins to IBM professional services. By Jeff Vance May 06, 2024 9 mins Hybrid Cloud Network Management Software Cloud Computing PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe