CVE-2019-15984
published 2020-01-06CVE-2019-15984: Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to…
PriorityP270high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
46.94%
98.7th percentile
Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application. For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_data_center_network_manager | >= unspecified < n/a | n/a |
| cisco | data_center_network_manager | < 11.3\(1\) | 11.3\(1\) |
| cisco | data_center_network_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager SQL Injection Inbound (CVE-2019-15984)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/DbInventoryWS"; fast_pattern; http.request_body; content:"|3b|"; content:"|3b|--"; distance:0; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15984; classtype:attempted-admin; sid:2033411; rev:1; metadata:created_at 2021_07_24, cve CVE_2019_15984, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Detect POST requests to the SOAP endpoint /DbInventoryWSService/DbInventoryWS containing stacked SQL injection delimiters (semicolon followed by SQL and '--' terminator) in the request body — this is the primary injection vector for CVE-2019-15984. ↗
- →The Emerging Threats Snort rule (sid:2033411) fires on POST to URIs containing '/DbInventoryWS' with body bytes |3b| (';') and |3b|-- (';--'), which is the stacked-query injection pattern used by the exploit.
- →Monitor for creation or HTTP access to 'si.jsp' under the DCNM web root — the exploit writes a JSP reverse shell there via a second-order path traversal write. ↗
- →Alert on access to /serverinfo/HtmlAdaptor?action=displayServerInfos with HTTP Basic auth credentials — the exploit uses this endpoint to leak the VFS temp path needed for shell placement. ↗
- →Watch for SOAP calls to /ReportWSService/ReportWS with a user_name value of '1337' — this is used by the exploit to create the traversal folder and the DB entry for the shell. ↗
- →The exploit uses a forged SSO token with a hardcoded far-future timestamp (9999999999999) and a known HMAC secret string ending in 'POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF' — detect this pattern in Authorization/SSO headers. ↗
- →Detect SQL UPDATE/DELETE statements targeting the 'xmldocs' table in DCNM database audit logs — the exploit uses stacked queries to write and clean up the shell payload. ↗
- ·Exploitation requires administrative privileges on the DCNM application; however, severity is significantly aggravated when chained with the simultaneously published Cisco DCNM Authentication Bypass vulnerabilities (CVE-2019-15976), which can provide those privileges without valid credentials. ↗
- ·The exploit was tested and confirmed on Cisco DCNM 11.2.1 Installer for Windows (64-bit); other platforms/versions may behave differently. ↗
- ·There are no workarounds available for these vulnerabilities; only vendor-supplied software updates address them. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_cisco7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qcf5-882h-xj7h: Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker
ghsa_unreviewed·2022-05-24
CVE-2019-15984 [HIGH] CWE-89 GHSA-qcf5-882h-xj7h: Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker
Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application. For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one.
Cisco
Cisco Data Center Network Manager SQL Injection Vulnerabilities
vendor_cisco·2020-01-02·CVSS 7.2
CVE-2019-15984 [HIGH] CWE-89 Cisco Data Center Network Manager SQL Injection Vulnerabilities
Cisco Data Center Network Manager SQL Injection Vulnerabilities
Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application.
For more information about these vulnerabilities, see the Details section of this advisory.
Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that addres
Cisco
Cisco Data Center Network Manager SQL Injection Vulnerabilities
vendor_cisco·CVSS 3.0
CVE-2019-15984 Cisco Data Center Network Manager SQL Injection Vulnerabilities
CVE-2019-15984: Cisco Data Center Network Manager SQL Injection Vulnerabilities
Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application. For more information about these vulnerabilities, see the
CVSS: 3.0
CWE: CWE-89, CWE-89
Bug IDs: CSCvq98723, CSCvq98730, CSCvq98736, CSCvq98723, CSCvq98730
Suricata
ET EXPLOIT Cisco Data Center Network Manager SQL Injection Inbound (CVE-2019-15984)
suricata·2021-07-24·CVSS 7.2
CVE-2019-15984 [HIGH] ET EXPLOIT Cisco Data Center Network Manager SQL Injection Inbound (CVE-2019-15984)
ET EXPLOIT Cisco Data Center Network Manager SQL Injection Inbound (CVE-2019-15984)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager SQL Injection Inbound (CVE-2019-15984)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/DbInventoryWS"; fast_pattern; http.request_body; content:"|3b|"; content:"|3b|--"; distance:0; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15984; classtype:attempted-admin; sid:2033411; rev:1; metadata:created_at 2021_07_24, cve CVE_2019_15984, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name E
http://packetstormsecurity.com/files/156239/Cisco-Data-Center-Network-Manager-11.2.1-SQL-Injection.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-injecthttp://packetstormsecurity.com/files/156239/Cisco-Data-Center-Network-Manager-11.2.1-SQL-Injection.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-inject
2020-01-06
Published