Cisco DNA Center Authentication Bypass Vulnerability

A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, adjacent attacker to bypass authentication and access critical internal services.

The vulnerability is due to insufficient access restriction to ports necessary for system operation. An attacker could exploit this vulnerability by connecting an unauthorized network device to the subnet designated for cluster services. A successful exploit could allow an attacker to reach internal services that are not hardened for external access.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-dnac-bypass

Security Impact Rating: Critical

CVE: CVE-2019-1848

Related:

  • No Related Posts

Cisco Security Manager XML Entity Expansion Vulnerability

A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition.

The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by sending malicious requests to a targeted system that contain references within XML entities. An exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a DoS condition.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-csm-xml

Security Impact Rating: Medium

CVE: CVE-2019-1903

Related:

  • No Related Posts

Cisco Meeting Server CLI Command Injection Vulnerability

A vulnerability in the CLI configuration shell of Cisco Meeting Server could allow an authenticated, local attacker to inject arbitrary commands as the root user.

The vulnerability is due to insufficient input validation during the execution of a vulnerable CLI command. An attacker with administrator-level credentials could exploit this vulnerability by injecting crafted arguments during command execution. A successful exploit could allow the attacker to perform arbitrary code execution as root on an affected product.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-cms-codex

Security Impact Rating: High

CVE: CVE-2019-1623

Related:

  • No Related Posts

Cisco StarOS Denial of Service Vulnerability

A vulnerability in the internal packet-processing functionality of the Cisco StarOS operating system running on virtual platforms could allow an unauthenticated, remote attacker to cause an affected device to stop processing traffic, resulting in a denial of service (DoS) condition.

The vulnerability is due to a logic error that may occur under specific traffic conditions. An attacker could exploit this vulnerability by sending a series of crafted packets to an affected device. A successful exploit could allow the attacker to prevent the targeted service interface from receiving any traffic, which would lead to a DoS condition on the affected interface.

The device may have to be manually reloaded to recover from exploitation of this vulnerability.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-staros-asr-dos

Security Impact Rating: High

CVE: CVE-2019-1869

Related:

  • No Related Posts

Cisco SD-WAN Solution Command Injection Vulnerability

A vulnerability in the vManage web-based UI (Web UI) in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the vManage Web UI. A successful exploit could allow the attacker to execute commands with root privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-sdwan-cmdinj

Security Impact Rating: High

CVE: CVE-2019-1624

Related:

  • No Related Posts

Cisco Prime Service Catalog Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.

The vulnerability is due to insufficient CSRF protection mechanisms on the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-psc-csrf

Security Impact Rating: High

CVE: CVE-2019-1874

Related:

  • No Related Posts

Cisco Prime Infrastructure Virtual Domain Privilege Escalation Vulnerability

A vulnerability in the Virtual Domain system of Cisco Prime Infrastructure (PI) could allow an authenticated, remote attacker to change the virtual domain configuration, which could lead to privilege escalation.

The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by manipulating requests sent to an affected PI server. A successful exploit could allow the attacker to change the virtual domain configuration and possibly elevate privileges.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-prime-privescal

Security Impact Rating: Medium

CVE: CVE-2019-1906

Related:

  • No Related Posts

Cisco Integrated Management Controller Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to access potentially sensitive system usage information.

The vulnerability is due to a lack of proper data protection mechanisms. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow an attacker to view sensitive system data.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-imc-infodisclos

Security Impact Rating: Medium

CVE: CVE-2019-1631

Related:

  • No Related Posts

Cisco Integrated Management Controller Arbitrary File Write Vulnerability

A vulnerability in the configuration import utility of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to have write access and upload arbitrary data to the filesystem.

The vulnerability is due to a failure to delete temporarily uploaded files. An attacker could exploit this vulnerability by crafting a malicious file and uploading it to the affected device. An exploit could allow the attacker to fill up the filesystem or upload malicious scripts.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-imc-filewrite

Security Impact Rating: Medium

CVE: CVE-2019-1629

Related:

  • No Related Posts

Cisco Integrated Management Controller Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.

The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on the affected device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-imc-csrf

Security Impact Rating: Medium

CVE: CVE-2019-1632

Related:

  • No Related Posts