CVE-2017-6640
published 2017-06-08CVE-2017-6640: A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative…
PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
10.72%
95.3th percentile
A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative console of a DCNM server by using an account that has a default, static password. The account could be granted root- or system-level privileges. The vulnerability exists because the affected software has a default user account that has a default, static password. The user account is created automatically when the software is installed. An attacker could exploit this vulnerability by connecting remotely to an affected system and logging in to the affected software by using the credentials for this default user account. A successful exploit could allow the attacker to use this default user account to log in to the affected software and gain access to the administrative console of a DCNM server. This vulnerability affects Cisco Prime Data Center Network Manager (DCNM) Software releases prior to Release 10.2(1) for Microsoft Windows, Linux, and Virtual Appliance platforms. Cisco Bug IDs: CSCvd95346.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | prime_data_center_network_manager | — | — |
| cisco | prime_data_center_network_manager | — | — |
| cisco | prime_data_center_network_manager | — | — |
| cisco | prime_data_center_network_manager_server_static_credential | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://172.26.24.15/Upload?svc=upload&maxFileSize=100000&tacCaseID=../../../../Program%20Files/Cisco%20Systems/dcm/jboss-as-7.2.0.Final/standalone/sandeployments↗
commandcurl -k -F 'data=@/tmp/webshell.war' "https://172.26.24.15/Upload?svc=upload&maxFileSize=100000&tacCaseID=../../../../Program%20Files/Cisco%20Systems/dcm/jboss-as-7.2.0.Final/standalone/sandeployments"↗
- →Monitor HTTP requests to the /Upload endpoint with the 'svc=upload' parameter and path traversal sequences (e.g., '../') in the 'tacCaseID' parameter, which is the exploitation vector for the XmpFileUploadServlet path traversal. ↗
- →Detect unauthenticated access attempts to the Cisco DCNM administrative console using default static credentials — the default user account is created automatically at install time. ↗
- →Alert on .war file uploads to the DCNM server's JBoss deployments directory, particularly via the XmpFileUploadServlet class, as this is the mechanism for achieving RCE via webshell deployment. ↗
- →Inspect for new files appearing under the JBoss standalone deployments path: Program Files/Cisco Systems/dcm/jboss-as-7.2.0.Final/standalone/sandeployments ↗
- ·The path traversal PoC targets a specific JBoss deployment path on Windows. The deployment path may differ on Linux and Virtual Appliance platforms. ↗
- ·The related path traversal vulnerability (XmpFileUploadServlet) also affects Cisco Prime Infrastructure, but requires authentication first in that product — unlike DCNM where it is unauthenticated. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f699-hchg-47fv: A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administra
ghsa_unreviewed·2022-05-13
CVE-2017-6640 [CRITICAL] CWE-770 GHSA-f699-hchg-47fv: A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administra
A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative console of a DCNM server by using an account that has a default, static password. The account could be granted root- or system-level privileges. The vulnerability exists because the affected software has a default user account that has a default, static password. The user account is created automatically when the software is installed. An attacker could exploit this vulnerability by connecting remotely to an affected system and logging in to the affected software by using the credentials for this default user account. A successful exploit could allow the attacker to use this default user account to log in to the affected software and gai
Cisco
Cisco Prime Data Center Network Manager Server Static Credential Vulnerability
vendor_cisco·2017-06-07·CVSS 9.8
CVE-2017-6640 [CRITICAL] CWE-264 Cisco Prime Data Center Network Manager Server Static Credential Vulnerability
Cisco Prime Data Center Network Manager Server Static Credential Vulnerability
A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative console of a DCNM server by using an account that has a default, static password. The account could be granted root- or system-level privileges.
The vulnerability exists because the affected software has a default user account that has a default, static password. The user account is created automatically when the software is installed. An attacker could exploit this vulnerability by connecting remotely to an affected system and logging in to the affected software by using the credentials for this default user account. A successful exploit could allow the att
Cisco
Cisco Prime Data Center Network Manager Server Static Credential Vulnerability
vendor_cisco·CVSS 3.0
CVE-2017-6640 Cisco Prime Data Center Network Manager Server Static Credential Vulnerability
CVE-2017-6640: Cisco Prime Data Center Network Manager Server Static Credential Vulnerability
A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative console of a DCNM server by using an account that has a default, static password. The account could be granted root- or system-level privileges. The vulnerability exists because the affected software has a default user account that has a default, static password. The user account is created automatically when the software is installed. An attacker could exploit this vulnerability by connecting remotely to an affected system and logging in to the affected software by using the credentials for this default user account. A successful exploit could
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/98937http://www.securitytracker.com/id/1038625https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm2http://www.securityfocus.com/bid/98937http://www.securitytracker.com/id/1038625https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm2
2017-06-08
Published