Cisco has disclosed two critical vulnerabilities affecting core data center equipment. The vulnerabilities allow attackers to break into networks. Both errors were found during internal tests and a patch was released for them.
The first error is in the Digital Network Architecture (DNA) Center appliance, and makes the device vulnerable to an authentication bypass, reports ZDNet. This allows an “adjacent” hacker to skip authentication and cause damage to an organization’s critical internal services. With DNA Center, administrators can add new devices to a network and manage them based on enterprise policies.
The error, followed as CVE-2019-1848, was caused by the fact that Cisco did not restrict access to ports used to control the system enough. The vulnerability allows an attacker to connect an unauthorized device to the network. A successful exploit allows the attacker to access internal services that are not protected against remote access.
The error affects releases of Cisco DNA Center that are older than version 1.3.
The other mistake, CVE-2019-1625, is slightly less critical, but still serious. This vulnerability affects the command-line interface of the Cisco SD-WAN Solution. An attacker must be logged in and already have access to the equipment to exploit the error. If successful, the vulnerability can lead to an escalation of root user privileges on the affected device.
According to Cisco, the error was caused by insufficient enforcement of the law. “An attacker can exploit this vulnerability by authorizing himself to a device and executing commands that can lead to increased privileges. A successful exploit may allow the attacker to make configuration changes in the system as the root user.”
This error affects the vBond Orchestrator Software, vEdge Series Routers from the 100-, 1000-, 2000- and 5000-series, vEdge Cloud Router Platform, vManage Network Management Software and vSmart Controller Software. The products are vulnerable when running on Cisco SD-WAN Solution from releases for 18.3.6, 18.4.1 and 19.1.0.This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.