CVE-2019-15976
published 2020-01-06CVE-2019-15976: Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
92.84%
99.8th percentile
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_data_center_network_manager | >= unspecified < n/a | n/a |
| cisco | data_center_network_manager | < 11.3\(1\) | 11.3\(1\) |
| cisco | data_center_network_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/DbAdminWSService/DbAdminWS
commandupdate xmldocs set document_name='<path>',content=decode('<hex>','hex') where user_name='1337';↗
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Authentication Bypass Inbound (CVE-2019-15976)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/DbAdminWSService/DbAdminWS"; fast_pattern; http.request_body; content:""; content:""; content:""; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15976; classtype:attempted-admin; sid:2033409; rev:2; metadata:created_at 2021_07_24, cve CVE_2019_15976, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →The auth bypass forges an SSO token using a hardcoded static secret string embedded in the DCNM application. Detect SOAP requests containing this token pattern (sessionid.timestamp.base64md5.username) to unauthenticated endpoints. ↗
- →Monitor for unauthenticated POST requests to /DbAdminWSService/DbAdminWS containing SOAP body elements for user creation (global-admin role assignment) — a key step in the exploit chain. ↗
- →Monitor for POST requests to /DbInventoryWSService/DbInventoryWS with SQL stacked injection payloads (semicolon-prefixed SQL followed by --) in the SOAP body. ↗
- →Detect directory traversal sequences (../../../../) in SOAP body content sent to /ReportWSService/ReportWS, used to write a JSP webshell outside the intended report directory. ↗
- →Alert on HTTP GET requests to /si.jsp on DCNM servers, which indicates the JSP reverse shell has been written and is being triggered. ↗
- →Monitor for access to /serverinfo/HtmlAdaptor?action=displayServerInfos using HTTP Basic Auth, used by the exploit to leak the VFS temp path needed for webshell placement. ↗
- →The exploit uses a fixed timestamp value of 9999999999999 in the forged SSO token; detecting this specific timestamp in SOAP authentication headers is a high-fidelity indicator. ↗
- →The JSESSIONID and resttoken cookie pattern (JSESSIONID=<56 chars>; resttoken=<digits>:<44 chars>) in responses to /j_spring_security_check can indicate successful auth bypass and session establishment. ↗
- ·The hardcoded static secret used to forge SSO tokens is baked into the DCNM application itself (CWE-798: Use of Hard-coded Credentials). The exploit does not require valid credentials — the username and session ID in the token do not need to exist on the target system. ↗
- ·The exploit was tested and confirmed working against Cisco DCNM 11.2.1 Installer for Windows (64-bit), Release 11.2(1), dated 18-Jun-2019. Other versions may be affected but were not confirmed in this PoC. ↗
- ·This exploit chains CVE-2019-15976 (auth bypass) with CVE-2019-15984 (SQL injection) for full RCE. Detection or patching of only one CVE may not prevent the full attack chain. ↗
- ·Cisco confirmed there are no workarounds for these authentication bypass vulnerabilities; only software updates address them. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v89m-36f9-6rp4: Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker
ghsa_unreviewed·2022-05-24
CVE-2019-15976 [HIGH] CWE-798 GHSA-v89m-36f9-6rp4: Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
Cisco
Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
vendor_cisco·2020-01-02·CVSS 9.8
CVE-2019-15975 [CRITICAL] CWE-798 Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypass
Cisco
Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
vendor_cisco·CVSS 3.0
CVE-2019-15976 Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
CVE-2019-15976: Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. For more information about these vulnerabilities, see the
CVSS: 3.0
CWE: CWE-798, CWE-798
Bug IDs: CSCvq85945, CSCvq89859, CSCvq89898
Suricata
ET EXPLOIT Cisco Data Center Network Manager Authentication Bypass Inbound (CVE-2019-15976)
suricata·2021-07-24·CVSS 9.8
CVE-2019-15976 [CRITICAL] ET EXPLOIT Cisco Data Center Network Manager Authentication Bypass Inbound (CVE-2019-15976)
ET EXPLOIT Cisco Data Center Network Manager Authentication Bypass Inbound (CVE-2019-15976)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Authentication Bypass Inbound (CVE-2019-15976)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/DbAdminWSService/DbAdminWS"; fast_pattern; http.request_body; content:""; content:""; content:""; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15976; classtype:attempted-admin; sid:2033409; rev:2; metadata:created_at 2021_07_24, cve CVE_2019_15976, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name In
Talos
Threat Source newsletter (Jan. 9, 2019)
blogs_talos·2020-01-09
Threat Source newsletter (Jan. 9, 2019)
## Threat Source newsletter (Jan. 9, 2019)
Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We’re back after a long break for the holidays. And 2020 is already off to a fast start as tensions continue to rise in the Middle East.
We’ve gotten a lot of questions about whether customers and users should be concerned about cyber attacks from Iran after they’ve exchanged missile strikes with the U.S. But the reality of the situation is, if you haven’t already been preparing from attacks for state-sponsored actors, it’s already too late. We run down our thoughts on the situation here .
We also have our first Beers with Talos episode of the new year out, where the guys run down the
Talos
Threat Source newsletter (Jan. 9, 2019)
blogs_talos·2020-01-09
Threat Source newsletter (Jan. 9, 2019)
Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We’re back after a long break for the holidays. And 2020 is already off to a fast start as tensions continue to rise in the Middle East.
We’ve gotten a lot of questions about whether customers and users should be concerned about cyber attacks from Iran after they’ve exchanged missile strikes with the U.S. But the reality of the situation is, if you haven’t already been preparing from attacks for state-sponsored actors, it’s already too late. We run down our thoughts on the situation here.
We also have our first Beers with Talos episode of the new year out, where the guys run down the top threats of 2019 and talk about what less
Tenable
CVE-2019-15975, CVE-2019-15976, CVE-2019-15977: Critical Authentication Bypass Vulnerabilities in Cisco Data Center Network Manager
blogs_tenable·2020-01-02·CVSS 9.8
[CRITICAL] CVE-2019-15975, CVE-2019-15976, CVE-2019-15977: Critical Authentication Bypass Vulnerabilities in Cisco Data Center Network Manager
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/156239/Cisco-Data-Center-Network-Manager-11.2.1-SQL-Injection.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypasshttp://packetstormsecurity.com/files/156239/Cisco-Data-Center-Network-Manager-11.2.1-SQL-Injection.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypass
2020-01-06
Published