CVE-2019-1620
published 2019-06-27CVE-2019-1620: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
83.78%
99.7th percentile
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could exploit this vulnerability by uploading specially crafted data to the affected device. A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_data_center_network_manager | >= unspecified < 11.2(1) | 11.2(1) |
| cisco | data_center_network_manager | — | — |
| cisco | data_center_network_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Authenticated File Upload (CVE-2019-1620)"; flow:established,to_server; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; http.header_names; to_lowercase; content:"cookie|0d 0a|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033445; rev:3; metadata:created_at 2021_07_27, cve CVE_2019_1620, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_30;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Unauthenticated File Upload (CVE-2019-1620)"; flow:established,to_server; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; http.header_names; to_lowercase; content:!"cookie|0d 0a|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033446; rev:3; metadata:created_at 2021_07_27, cve CVE_2019_1620, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_30;)
- →Detect exploit check phase: HTTP GET to /fm/pmreport with a random token parameter returning HTTP 500, followed by HTTP GET to /fm/fileUpload returning HTTP 500, indicates a vulnerable DCNM instance being fingerprinted. ↗
- →Detect auth bypass (CVE-2019-1619) token in GET parameter to /fm/pmreport: token format is sessionId.sysTime.base64(MD5).username — look for a structured token query parameter on that endpoint. ↗
- →Detect WAR path disclosure abuse (CVE-2019-1622): unauthenticated HTTP GET to /fm/log/fmlogs.zip to retrieve log archive and extract Tomcat webapps deployment path from jboss*.log entries. ↗
- →Detect WAR file upload exploitation: multipart POST to /fm/fileUpload containing form fields 'fname' (ending in .war), 'uploadDir', and a binary octet-stream part. The ET rules differentiate authenticated (Cookie header present) vs unauthenticated variants. ↗
- →After WAR upload, attacker triggers execution by issuing an HTTP GET to the deployed app's base path (/<random_app_name>). Monitor for GET requests to short alphanumeric paths on the DCNM server shortly after a fileUpload POST. ↗
- →Version fingerprinting via unauthenticated GET to /fm/fmrest/about/version — response body contains version string (e.g. '11.1(1)', '11.0(1)', '10.4(2)'). Monitor for unauthenticated access to this endpoint as a precursor to exploitation. ↗
- ·DCNM 11.0(1) requires valid credentials to exploit CVE-2019-1620; the auth bypass (CVE-2019-1619) only applies to versions 10.4(2) and below. Detection rules should account for authenticated uploads on 11.0(1). ↗
- ·DCNM 11.1(1) requires no authentication at all to exploit CVE-2019-1620 directly — no auth bypass chaining needed. Unauthenticated upload detections are highest priority for this version. ↗
- ·The Metasploit module chains three CVEs: CVE-2019-1619 (auth bypass), CVE-2019-1620 (file upload), and CVE-2019-1622 (log/info disclosure for WAR path). Full kill-chain detection requires monitoring all three exploit stages. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5r5x-3gwj-56vr: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to u
ghsa_unreviewed·2022-05-24
CVE-2019-1620 [CRITICAL] GHSA-5r5x-3gwj-56vr: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to u
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could exploit this vulnerability by uploading specially crafted data to the affected device. A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device.
Cisco
Cisco Data Center Network Manager Arbitrary File Upload and Remote Code Execution Vulnerability
vendor_cisco·2019-06-26·CVSS 9.8
CVE-2019-1620 [CRITICAL] CWE-264 Cisco Data Center Network Manager Arbitrary File Upload and Remote Code Execution Vulnerability
Cisco Data Center Network Manager Arbitrary File Upload and Remote Code Execution Vulnerability
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device.
The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could exploit this vulnerability by uploading specially crafted data to the affected device. A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the follo
Cisco
Cisco Data Center Network Manager Arbitrary File Upload and Remote Code Execution Vulnerability
vendor_cisco·CVSS 3.0
CVE-2019-1620 Cisco Data Center Network Manager Arbitrary File Upload and Remote Code Execution Vulnerability
CVE-2019-1620: Cisco Data Center Network Manager Arbitrary File Upload and Remote Code Execution Vulnerability
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could exploit this vulnerability by uploading specially crafted data to the affected device. A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device. Cisco has released software updates that address this vulnerability. There are no
CVSS: 3.0
CWE: CWE-264, CWE-264
Bug IDs: CSCvo64647
Suricata
ET EXPLOIT Possible Cisco Data Center Network Manager - Authenticated File Upload (CVE-2019-1620)
suricata·2021-07-27·CVSS 9.8
CVE-2019-1620 [CRITICAL] ET EXPLOIT Possible Cisco Data Center Network Manager - Authenticated File Upload (CVE-2019-1620)
ET EXPLOIT Possible Cisco Data Center Network Manager - Authenticated File Upload (CVE-2019-1620)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Authenticated File Upload (CVE-2019-1620)"; flow:established,to_server; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; http.header_names; to_lowercase; content:"cookie|0d 0a|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033445; rev:3; metadata:created_at 2021_07_27, cve CVE_2019_1620, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updat
Suricata
ET EXPLOIT Possible Cisco Data Center Network Manager - Unauthenticated File Upload (CVE-2019-1620)
suricata·2021-07-27·CVSS 9.8
CVE-2019-1620 [CRITICAL] ET EXPLOIT Possible Cisco Data Center Network Manager - Unauthenticated File Upload (CVE-2019-1620)
ET EXPLOIT Possible Cisco Data Center Network Manager - Unauthenticated File Upload (CVE-2019-1620)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Unauthenticated File Upload (CVE-2019-1620)"; flow:established,to_server; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; http.header_names; to_lowercase; content:!"cookie|0d 0a|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033446; rev:3; metadata:created_at 2021_07_27, cve CVE_2019_1620, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus,
Exploit-DB
Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)
exploitdb·2019-09-03·CVSS 9.8
CVE-2019-1622 [CRITICAL] Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)
Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Cisco Data Center Network Manager Unauthenticated Remote Code Execution',
'Description' => %q{
DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload.
An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps
directory and achieve remote code execution as root.
This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on
versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct
directory for the WAR file upload.
This module w
Metasploit
Cisco Data Center Network Manager Unauthenticated Remote Code Execution
metasploit·CVSS 9.8
CVE-2019-1619 [CRITICAL] Cisco Data Center Network Manager Unauthenticated Remote Code Execution
Cisco Data Center Network Manager Unauthenticated Remote Code Execution
DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root. This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct directory for the WAR file upload. This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Jul/7http://www.securityfocus.com/bid/108906https://seclists.org/bugtraq/2019/Jul/11https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codexhttp://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Jul/7http://www.securityfocus.com/bid/108906https://seclists.org/bugtraq/2019/Jul/11https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex
2019-06-27
Published