cbcvebase.
CVE-2019-1622
published 2019-06-27

CVE-2019-1622: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve…

PriorityP265medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
78.86%
99.5th percentile
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software. An attacker could exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit could allow the attacker to download log files and diagnostic information from the affected device.

Affected

3 ranges
VendorProductVersion rangeFixed in
ciscocisco_data_center_network_manager>= unspecified < 11.2(1)11.2(1)
ciscodata_center_network_manager
ciscodata_center_network_manager

Detection & IOCsextracted from sources · hover to see the quote

path/fm/log/fmlogs.zip
path/fm/fileUpload
path/fm/pmreport
path/fm/fmrest/about/version
cookieJSESSIONID
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Log Retrieval (CVE-2019-1622)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fm/log/fmlogs.zip"; endswith; fast_pattern; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1622; classtype:attempted-recon; sid:2033444; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2019_1622, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect unauthenticated HTTP GET requests to /fm/log/fmlogs.zip — this is the primary exploitation path for CVE-2019-1622 information disclosure, used to retrieve log archives without authentication.
  • Monitor for unauthenticated GET requests to /fm/pmreport with a 'token' query parameter — used by the exploit module as a check/auth-bypass probe.
  • Monitor for unauthenticated GET requests to /fm/fmrest/about/version — used by the exploit to fingerprint the DCNM version prior to exploitation.
  • Look for the hardcoded auth secret string 'POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF' in network traffic or process memory — it is used to forge authentication tokens in the CVE-2019-1619 bypass chained with this CVE.
  • Alert on HTTP 500 responses from both /fm/pmreport and /fm/fileUpload in sequence from the same source IP — this is the exploit module's detection check pattern.
  • ·CVE-2019-1622 is chained with CVE-2019-1619 (auth bypass) and CVE-2019-1620 (file upload RCE) in the Metasploit module; detection/blocking of the log download path alone may not prevent full RCE if the other vulnerabilities are also present.
  • ·DCNM version 11.0(1) requires valid credentials to exploit, while 11.1(1) and 10.4(2) and below do not require authentication for this exploit chain.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_cisco5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.