CVE-2019-1622
published 2019-06-27CVE-2019-1622: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve…
PriorityP265medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
78.86%
99.5th percentile
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software. An attacker could exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit could allow the attacker to download log files and diagnostic information from the affected device.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_data_center_network_manager | >= unspecified < 11.2(1) | 11.2(1) |
| cisco | data_center_network_manager | — | — |
| cisco | data_center_network_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Log Retrieval (CVE-2019-1622)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fm/log/fmlogs.zip"; endswith; fast_pattern; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1622; classtype:attempted-recon; sid:2033444; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2019_1622, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Detect unauthenticated HTTP GET requests to /fm/log/fmlogs.zip — this is the primary exploitation path for CVE-2019-1622 information disclosure, used to retrieve log archives without authentication. ↗
- →Monitor for unauthenticated GET requests to /fm/pmreport with a 'token' query parameter — used by the exploit module as a check/auth-bypass probe. ↗
- →Monitor for unauthenticated GET requests to /fm/fmrest/about/version — used by the exploit to fingerprint the DCNM version prior to exploitation. ↗
- →Look for the hardcoded auth secret string 'POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF' in network traffic or process memory — it is used to forge authentication tokens in the CVE-2019-1619 bypass chained with this CVE. ↗
- →Alert on HTTP 500 responses from both /fm/pmreport and /fm/fileUpload in sequence from the same source IP — this is the exploit module's detection check pattern. ↗
- ·CVE-2019-1622 is chained with CVE-2019-1619 (auth bypass) and CVE-2019-1620 (file upload RCE) in the Metasploit module; detection/blocking of the log download path alone may not prevent full RCE if the other vulnerabilities are also present. ↗
- ·DCNM version 11.0(1) requires valid credentials to exploit, while 11.1(1) and 10.4(2) and below do not require authentication for this exploit chain. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_cisco5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-09-04·CVSS 6.0
CVE-2022-22965 [MEDIUM] PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2010-1622, CVE-2015-7552, CVE-2018-16840, CVE-2019-7639, CVE-2020-17049, CVE-2020-7774, CVE-2021-0131, CVE-2021-0132, CVE-2021-0133, CVE-2021-0134, CVE-2021-4044, CVE-2021-4160, CVE-2021-41773, CVE-2022-1343, CVE-2022-21449, CVE-2022-2274, CVE-2022-22963, CVE-2022-22965, CVE-2022-24697, CVE-2022-32207, CVE-2022-3358, CVE-2022-3996, CVE-2022-40664, CVE-2022-44792, CVE-2022-44793, CVE-2023-1255, CVE-2023-22809, CVE-2023-23919, CVE-2023-3341, CVE-2023-4236, CVE-2023-4863, CVE-2023-51767
Affected products: PAN-OS
Cisco
Cisco Data Center Network Manager Information Disclosure Vulnerability
vendor_cisco·2019-06-26·CVSS 5.3
CVE-2019-1622 [MEDIUM] CWE-532 Cisco Data Center Network Manager Information Disclosure Vulnerability
Cisco Data Center Network Manager Information Disclosure Vulnerability
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device.
The vulnerability is due to improper access controls for certain URLs on affected DCNM software. An attacker could exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit could allow the attacker to download log files and diagnostic information from the affected device.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/
Cisco
Cisco Data Center Network Manager Information Disclosure Vulnerability
vendor_cisco·CVSS 3.0
CVE-2019-1622 Cisco Data Center Network Manager Information Disclosure Vulnerability
CVE-2019-1622: Cisco Data Center Network Manager Information Disclosure Vulnerability
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software. An attacker could exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit could allow the attacker to download log files and diagnostic information from the affected device. There are no
CVSS: 3.0
CWE: CWE-532, CWE-532
Bug IDs: CSCvo64654
GHSA
GHSA-v74g-p98c-6q4p: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to r
ghsa_unreviewed·2022-05-24
CVE-2019-1622 [MEDIUM] GHSA-v74g-p98c-6q4p: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to r
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software. An attacker could exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit could allow the attacker to download log files and diagnostic information from the affected device.
Suricata
ET EXPLOIT Possible Cisco Data Center Network Manager - Log Retrieval (CVE-2019-1622)
suricata·2021-07-27·CVSS 5.3
CVE-2019-1622 [MEDIUM] ET EXPLOIT Possible Cisco Data Center Network Manager - Log Retrieval (CVE-2019-1622)
ET EXPLOIT Possible Cisco Data Center Network Manager - Log Retrieval (CVE-2019-1622)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Log Retrieval (CVE-2019-1622)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fm/log/fmlogs.zip"; endswith; fast_pattern; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1622; classtype:attempted-recon; sid:2033444; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2019_1622, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Fac
Exploit-DB
Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)
exploitdb·2019-09-03·CVSS 9.8
CVE-2019-1622 [CRITICAL] Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)
Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Cisco Data Center Network Manager Unauthenticated Remote Code Execution',
'Description' => %q{
DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload.
An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps
directory and achieve remote code execution as root.
This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on
versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct
directory for the WAR file upload.
This module w
Metasploit
Cisco Data Center Network Manager Unauthenticated Remote Code Execution
metasploit·CVSS 9.8
CVE-2019-1619 [CRITICAL] Cisco Data Center Network Manager Unauthenticated Remote Code Execution
Cisco Data Center Network Manager Unauthenticated Remote Code Execution
DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root. This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct directory for the WAR file upload. This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Jul/7http://www.securityfocus.com/bid/108908https://seclists.org/bugtraq/2019/Jul/11https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-infodisclhttp://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Jul/7http://www.securityfocus.com/bid/108908https://seclists.org/bugtraq/2019/Jul/11https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-infodiscl
2019-06-27
Published