Cisco Security Advisory
Multiple Vulnerabilities in Cisco Prime Data Center Network Manager
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
-
Cisco Prime Data Center Network Manager (DCNM) contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to disclose file components, and access text files on an affected device. Various components of Cisco Prime DCNM are affected. These vulnerabilities can be exploited independently on the same device; however, a release that is affected by one of the vulnerabilities may not be affected by the others.
Cisco Prime DCNM is affected by the following vulnerabilities:- Cisco Prime DCNM Information Disclosure Vulnerability
- Cisco Prime DCNM Remote Command Execution Vulnerabilities
- Cisco Prime DCNM XML External Entity Injection Vulnerability
Cisco has released software updates that address these vulnerabilities. There are currently no workarounds that mitigate these vulnerabilities. This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm
-
Vulnerable Products
The following products are affected by the vulnerabilities that are described in this advisory:
The vulnerabilities described in this advisory affect all versions of Cisco Prime DCNM prior to 6.2(1).Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Cisco Prime DCNM, previously known as Cisco Data Center Network Manager, is a network management application that combines the management of Ethernet and storage networks into a single dashboard to help network and storage administrators manage and troubleshoot health and performance across different families of Cisco products that run Cisco NX-OS Software.
Cisco Prime DCNM Information Disclosure Vulnerability
The Cisco DCNM-SAN Server component of Cisco Prime DCNM contains a vulnerability that could allow an unauthenticated, remote attacker to disclose arbitrary file contents on an affected system.
This vulnerability has been documented in Cisco bug ID CSCue77029 (registered customers only) and has been assigned CVE identifier CVE-2013-5487.
Cisco Prime DCNM Remote Command Execution Vulnerabilities
The Cisco DCNM-SAN Server component of Cisco Prime DCNM contains two vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system that hosts the Cisco Prime DCNM application.
Commands are executed in the context of the system user for Cisco Prime DCNM running on Microsoft Windows or the root user for Cisco Prime DCNM running on Linux.
These vulnerabilities have been documented in Cisco bug IDs CSCue77035 (registered customers only) and CSCue77036 (registered customers only), and have been assigned the CVE identifier CVE-2013-5486.
Cisco Prime DCNM XML External Entity Injection Vulnerability
Cisco Prime DCNM is affected by a vulnerability which could allow an unauthenticated, remote attacker to access arbitrary text files on the underlying operating system with the privilege of root using an XML external entity injection attack. When processing incoming requests, XML external entity references and injected tags can result in disclosure of information.
This vulnerability is documented in Cisco bug ID CSCud80148 (registered customers only) and has been assigned CVE identifier CVE-2013-5490
-
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: https://sec.cloudapps.cisco.com/security/center/viewAMBAlert.x?alertId=30682
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
All of the vulnerabilities included in this advisory are fixed in the Cisco Prime DCNM version 6.2(1) or later.
You can download the latest version of Cisco Data Center Network Manager by clicking on the following link:
http://software.cisco.com/download/release.html?mdfid=281722751&softwareid=282088134&release=6.2%283%29&relind=AVAILABLE&rellifecycle=&reltype=latest&i=rm
Cisco Prime DCNM can be downloaded from the Software Center on Cisco.com by visiting http://www.cisco.com/cisco/software/navigator.html and navigating to Products > Cloud and Systems Management > Data Center Infrastructure Management > Cisco Prime Data Center Network Manager.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
The Cisco Prime DCNM remote command execution vulnerabilities and the Cisco Prime DCNM information disclosure vulnerability were reported to Cisco by Andrea Micalizzi aka rgod working with HP's Zero Day Initiative.
The Cisco Prime DCNM XML external entity injection vulnerability was reported to Cisco by Ben Williams with NCC Group.
Cisco would like to thank these researchers for reporting these vulnerabilities to us and for working with us toward a coordinated disclosure of the vulnerabilities.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.2 2013-November-05 Updated "Exploitation and Public Annoucements" section to include the name of the researcher working with the HP Zero Day Initiative. Revision 1.1 2013-September-19 Reworded the vulnerable versions to be more concise. Updated "Software Versions and Fixes" section to clarify the fixed version. Revision 1.0 2013-September-18 Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.