cbcvebase.
CVE-2019-1619
published 2019-06-27

CVE-2019-1619: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
82.82%
99.6th percentile
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.

Affected

3 ranges
VendorProductVersion rangeFixed in
ciscocisco_data_center_network_manager>= unspecified < 11.1(1)11.1(1)
ciscodata_center_network_manager
ciscodata_center_network_manager

Detection & IOCsextracted from sources · hover to see the quote

url/fm/fileUpload
url/fm/pmreport
url/fm/fmrest/about/version
url/fm/log/fmlogs.zip
url/fm/downloadServlet
cookieJSESSIONID
othertoken=<sessionId>.<sysTime>.<md5_base64>.admin
otherMD5('admin' + sessionId + sysTime + 'POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF')
  • Alert on unauthenticated POST requests to /fm/fileUpload containing multipart form fields 'fname', 'uploadDir', and a WAR file payload — indicative of CVE-2019-1620 exploitation chained after CVE-2019-1619 auth bypass
  • Detect unauthenticated GET requests to /fm/log/fmlogs.zip — used by attackers (CVE-2019-1622) to retrieve Tomcat/JBoss log paths needed for WAR upload directory targeting
  • Flag HTTP 500 responses from both /fm/pmreport?token=<random> and /fm/fileUpload (GET with no params) as a fingerprinting/check step used by the exploit module
  • Monitor for the hardcoded HMAC salt string 'POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF' appearing in HTTP traffic or process memory — its presence indicates active exploitation of the auth bypass
  • Detect unauthenticated GET requests to /fm/fmrest/about/version — used by the exploit to fingerprint the DCNM version before selecting the appropriate attack path
  • ·CVE-2019-1619 auth bypass only affects DCNM versions 10.4(2) and below; version 11.0(1) requires valid credentials for exploitation, and 11.1(1) does not require authentication via a different code path
  • ·Version 11.0(1) requires authentication (valid USERNAME/PASSWORD) to exploit; the auth bypass token-forging technique applies only to 10.4(2) and below
  • ·The exploit module defaults to SSL/TLS on port 443; detections should also cover non-SSL deployments on alternate ports

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.