CISCO patched two critical security vulnerabilities in the Digital Network Architecture Center. The patches come side by side massive updates from 36 different medium severity to critical vulnerabilities in various products in the same day.
Analytical Vulnerabilities Discovered In Cisco Digital Network Architecture Center
As disclosed, Cisco Digital Network Architecture Center (DNA) has two critical vulnerabilities that could allow an attacker to bypass authentication and access management functions. Both vulnerabilities were different in nature but had a similar impact allowing remote attacks.
The first vulnerability affecting the Cisco DNA Center involves authentication bypass. Exploiting this flaw could let an attacker to remotely control the identity management functions by simply bypassing the authentication. As stated in their security advisory,
“The vulnerability is due to insufficient security restrictions for critical management functions. An attacker could exploit this vulnerability by sending a valid identity management request to the affected system. An exploit could allow the attacker to view and make unauthorized modifications to existing system users as well as create new users.”
This DNA Authentication Bypass vulnerability (CVE-2018-0448) has achieved a critical severity level with a CVSS base score of 9.8. The versions affected by this flaw include Cisco DNA Center Software Release 1.1.4 and earlier.
The second flaw is a DNA Unauthenticated Access Vulnerability (CVE-2018-15386) that has achieved a CVSS base score of 9.8. The flaw could allow an attacker to remotely access the critical management functions after an authentication bypass. Explaining this vulnerability, Cisco stated in their advisory,
“The vulnerability is due to an insecure default configuration of the affected system. An attacker could exploit this vulnerability by directly connecting to the exposed services. An exploit could allow the attacker to retrieve and modify critical system files.”
Cisco Patched The Flaws
Cisco discovered both the vulnerabilities during internal security testing. They further confirm no malicious exploitation of this vulnerability before their discovery. The vendors quickly patched the flaws in the newer Cisco DNA Center Software versions. For CVE-2018-0448, the software Releases 1.1.4 and later carry the patch. Whereas, the Cisco DNA Center Release 1.2 and later fix the flaw CVE-2018-15386.
- This vulnerability affects all releases of Cisco DNA Center Software prior to Release 1.1.4.To determine which Cisco DNA Center Software release is running on a system, administrators can do the following:
- By using a compatible, HTTPS-enabled browser, log in to the Cisco DNA Center GUI via HTTPS.
- On the DNA Center home page, click the settings (gear) icon, and then click About DNA Center.