Vulnerabilities > CVE-2019-1622 - Information Exposure Through Log Files vulnerability in Cisco Data Center Network Manager 11.0(1)

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
cisco
CWE-532
nessus
exploit available
metasploit
NVD
Published: 2019-06-27
Updated: 2020-10-06

Summary

A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software. An attacker could exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit could allow the attacker to download log files and diagnostic information from the affected device.

Vulnerable Configurations

Part Description Count
Application
Cisco
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Fuzzing and observing application log data/errors for application mapping
    An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

Exploit-Db

idEDB-ID:47347
last seen2019-09-03
modified2019-09-03
published2019-09-03
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/47347
titleCisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)

Metasploit

descriptionDCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root. This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct directory for the WAR file upload. This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).
idMSF:EXPLOIT/MULTI/HTTP/CISCO_DCNM_UPLOAD_2019
last seen2020-06-11
modified2020-03-12
published2019-07-12
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/cisco_dcnm_upload_2019.rb
titleCisco Data Center Network Manager Unauthenticated Remote Code Execution

Nessus

NASL familyCISCO
NASL idCISCO-SA-20190626-DCNM-INFODISCL.NASL
descriptionAn information disclosure vulnerability exists in the web-based management interface of Cisco Data Center Network Manager (DCNM) due to improper access controls for certain URLs on affected DCNM software. An unauthenticated, remote attacker can exploit this, by connecting to the web-based management interface of an affected device and requesting specific URLs, to disclose potentially sensitive information.
last seen2020-06-01
modified2020-06-02
plugin id128685
published2019-09-11
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/128685
titleCisco Data Center Network Manager Information Disclosure Vulnerability
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(128685);
  script_version("1.3");
  script_cvs_date("Date: 2019/09/24 11:01:32");

  script_cve_id("CVE-2019-1622");
  script_bugtraq_id(108908);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvo64654");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190626-dcnm-infodiscl");
  script_xref(name:"IAVA", value:"2019-A-0221");

  script_name(english:"Cisco Data Center Network Manager Information Disclosure Vulnerability");
  script_summary(english:"Checks the version of Cisco Data Center Network Manager");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"An information disclosure vulnerability exists in the web-based management interface of Cisco Data Center Network
Manager (DCNM) due to improper access controls for certain URLs on affected DCNM software. An unauthenticated,
remote attacker can exploit this, by connecting to the web-based management interface of an affected device and
requesting specific URLs, to disclose potentially sensitive information.");
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a77dc334");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo64654");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvo64654");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1622");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Cisco Data Center Network Manager Unauthenticated Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_cwe_id(284);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/06/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:data_center_network_manager");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_dependencies("cisco_prime_dcnm_installed_win.nasl", "cisco_prime_dcnm_installed_linux.nasl");
  script_require_keys("installed_sw/Cisco Prime DCNM");

  exit(0);
}

include('global_settings.inc');
include('misc_func.inc');
include('vcf.inc');

app = 'Cisco Prime DCNM';

get_install_count(app_name:app, exit_if_zero:TRUE);

app_info = vcf::get_app_info(app:app);
vcf::check_granularity(app_info:app_info, sig_segments:3);

constraints = [
  { 'fixed_version' : '11.2.1.0', 'fixed_display' : '11.2(1)' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

Packetstorm

References