Cisco released a list of 16 security advisories on May 16, including three critical flaws in the Cisco Digital Network Architecture (DNA) Center that rated a 10/10 on the CVSS (Common Vulnerability Scoring System) scale.
The three critical flaws all give attackers elevated privileges that can compromise the entirety of the DNA Center but go about it in very different ways. One involves exploiting a hardcoded admin password, one attacks the Kubernetes port, and the third relies on a specially crafted URL not being normalized before DNA Center resolves a service request.
Cisco DNA Center is the hub of Cisco's intent-based network architecture, which uses AI and machine learning to automate much of the legwork network administrators typically do when provisioning networks and their hardware.
Cisco has released an update to the DNA Center (v 1.1.3) that resolves all three security flaws. Given the critical master control role that DNA Center plays in Cisco networks these three advisories should have Cisco admins scrambling to update right away.
What these three flaws can do
All three of these issues merit their 10/10 CVSS score because they could result in an attacker being able to assert a high degree of—if not total—control over DNA Center.
All three vulnerabilities affect every single version of Cisco DNA Center prior to the latest release (1.1.3), except the URL exploit. Itwas fixed in version 1.1.2, which was released in January 2018.
SEE: Network security policy (Tech Pro Research)
The first, CVE-2018-0222, is due to "undocumented, static user credentials for the default administrative account for the affected software." In other words, an attacker could theoretically connect to an affected Cisco DNA Center provided they knew its address and guessed enough combinations of admin/admin or similar default username and password combinations.
The second, CVE-2018-0268, "is due to an insecure default configuration of the Kubernetes container management subsystem within DNA Center." Cisco said that an attacker that can access the Kubernetes service port could completely compromise any affected containers.
The third, CVE-2018-0271, "is due to a failure to normalize URLs prior to servicing requests." Attackers that submit a specially crafted URL can exploit the issue to gain elevated DNA Center privileges, which they can then use to do more damage.
Installing the latest version of Cisco DNA Center
Cisco said there are no workarounds for these exploits and advises updating to DNA Center version 1.1.3 immediately. All prior versions are affected by these bugs, which makes them especially dangerous.
Administrators can check which version of DNA Center they're running by logging into DNA Center's web GUI and looking for the gear icon on the homepage. Click it and look for About DNA Center. On the screen that pops up there should be a System Version field that lists the current running version of DNA Center.
Cisco advises admins to use the System Updates feature of DNA Center to install version 1.1.3 right away. Cybercriminals often rely on outdated software vulnerable to known exploits to launch attacks, so don't take the chance of falling victim to a DNA Center hack that has already been resolved.
The big takeaways for tech leaders:
- Cisco has notified the public of three critical vulnerabilities in its Cisco DNA Center. All three can result in an attacker gaining elevated access or total control over an affected system.
- Cisco has released an updated version of DNA Center (version 1.1.3) that addresses all three issues. DNA Center users are strongly advised to update immediately.
- IT pro's guide to effective patch management (free PDF) (TechRepublic)
- Cisco 'waited 80 days' before revealing it had been patching its critical VPN flaw (ZDNet)
- If your businesses uses a Cisco VPN, patch it now to avoid critical flaw (TechRepublic)
- Cisco joins the Kubernetes cloud rush (ZDNet)
- Cisco switch flaw led to attacks on critical infrastructure in several countries (TechRepublic)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.