Patches released for Nexus Dashboard Fabric Controller vulnerabilities
A security researcher was able to achieve unauthenticated remote code execution against Cisco Nexus Dashboard Fabric Controller by exploiting an obsolete Java library with known vulnerabilities.
The researcher, Pedro Ribeiro, was able to put together a damaging exploit against the enterprise-grade network and storage management technology by chaining together a combination of vulnerabilities in the system.
The exploit chain allowed Ribeiro to escalate a web-based flaw to achieve a root shell, or complete compromise.
Ribeiro told The Daily Swig: “The first bug is a Java deserialization vulnerability in an old library. Then I abuse another old Java library deserialization gadget to achieve code execution as an unpriv user and finally a misconfigured sudo to perform privilege escalation to root.”
The security researcher reported the issue to Cisco through Trend Micro’s Zero Day Initiative around six months ago. Cisco was somewhat slow to respond but did release a software update last month that addressed the issue uncovered by Ribeiro.
In response to a query from The Daily Swig, Cisco said that the problem was resolved.
“On March 4, 2022, Cisco released a software update for Cisco Data Center Network Manager that includes a fix for the third-party software (TPS) vulnerability in Apache Flex BlazeDS that is identified by CVE-2017-5641.
“Cisco is tracking this vulnerability via its Bug ID CSCvz62623 and asks customers of this product to upgrade to software version 11.5(4).”
It added: “Cisco would like to thank Pedro Ribeiro from Agile Information Security working with Trend Micro Zero Day Initiative for reporting this vulnerability.”
The release of an update to Cisco Nexus Dashboard Fabric Controller cleared the way for Ribeiro to go public with details of the vulnerability and proof-of-concept exploit code with a technical blog post, published on GitHub last week.
The same technology was previously known as Cisco Data Center Network Manager (DCNM). In its previous guise, Ribeiro found another (similarly) critical remote code exaction vulnerability three years ago.
Ribeiro is unimpressed by Cisco's handling of their latest report.
"Cisco being Cisco as always," the researcher said. "They only have that bug ID behind a registration wall. There's no mention of the bug in their global security center database [and] six months to fix is indeed a long time."