Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability

Related Vulnerabilities: CVE-2012-5417  

Cisco Prime Data Center Network Manager (DCNM) contains a remote command execution vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the computer that is running the Cisco Prime DCNM application. Cisco has released software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121031-dcnm Note: After this advisory was initially published, it was found that in addition to the DCNM SAN server component that is part of the DCNM solution, the DCNM LAN server is also affected by the same vulnerability. This advisory has been updated to revision 2.0 to indicate that the DCNM LAN server component is also vulnerable, to provide the Cisco bug ID that tracks the vulnerability in the DCNM LAN server component, and to update fixed software information.

Source

Summary

  • Cisco Prime Data Center Network Manager (DCNM) contains a remote command execution vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the computer that is running the Cisco Prime DCNM application.

    Cisco has released software updates that address this vulnerability.

    This advisory is available at the following link:

    http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121031-dcnm

    Note: After this advisory was initially published, it was found that in addition to the DCNM SAN server component that is part of the DCNM solution, the DCNM LAN server is also affected by the same vulnerability. This advisory has been updated to revision 2.0 to indicate that the DCNM LAN server component is also vulnerable, to provide the Cisco bug ID that tracks the vulnerability in the DCNM LAN server component, and to update fixed software information.

Affected Products

  • Vulnerable Products

    All Cisco Prime Data Center Network Manager (DCNM) releases prior to release 6.1(2), for both the Microsoft Windows and Linux platforms, are affected by this vulnerability. Both the Cisco DCNM-LAN Server and Cisco DCNM-SAN Server, which are part of the Cisco Prime DCNM solution, are affected by this vulnerability.

    Note: Cisco DCNM-LAN Server and Cisco DCNM-SAN Server were different products until release 6.1(1), when both products converged into a single Cisco Prime DCNM product. All releases of Cisco DCNM-LAN Server and Cisco DCNM-SAN are affected by this vulnerability.

    To determine the Cisco Prime DCNM release that is running, administrators can connect to the computer that runs the Cisco Prime DCNM software using a web browser and HTTPS; the release number will be displayed in the login page, before logging in. The following example shows a device running version 6.1(1a): 
    Cisco Prime
Data Center Network Manager
Version: 6.1(1a)

    Products Confirmed Not Vulnerable

    No other Cisco products are currently known to be affected by this vulnerability.

Details

  • Cisco Prime DCNM, previously known as Cisco Data Center Network Manager, is a network management application that combines the management of Ethernet and storage networks into a single dashboard to help network and storage administrators manage and troubleshoot health and performance across different families of Cisco products that run Cisco NX-OS Software.

    Cisco Prime DCNM, both the Cisco DCNM-LAN Server and the Cisco DCNM-SAN Server components, running versions prior to 6.1(2) contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system that hosts the Cisco Prime DCNM application.

    The vulnerability exists because JBoss Application Server Remote Method Invocation (RMI) services, specifically the jboss.system:service=MainDeployer functionality, are exposed to unauthorized users. An unauthenticated, remote attacker could exploit this vulnerability by sending arbitrary commands via RMI services. An exploit could allow the attacker to execute arbitrary commands on the device.

    Commands are executed in the context of the System user for Cisco Prime DCNM running on Microsoft Windows or the root user for Cisco Prime DCNM running on Linux.

    Cisco Prime DCNM uses TCP port 1099 or 9099, depending on the Cisco Prime DCNM version, for the RMI registry function. An RMI transaction always starts with a TCP connection to the RMI registry port.

    This vulnerability has been documented in Cisco bug IDs CSCtz44924 (registered customers only) and CSCua31204 (registered customers only), for the Cisco DCNM-SAN Server and the Cisco DNCM-LAN Server components, respectively, and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2012-5417.

Workarounds

  • Because RMI transactions start with a connection to the RMI registry port, which by default is TCP port 1099 or 9099 depending on the Cisco Prime DCNM version, allowing only legitimate devices to connect to the RMI registry port can mitigate this vulnerability.

    Additional mitigations that can be deployed on Cisco devices within the network are available in the companion document "Identifying and Mitigating Exploitation of the Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability," which is available at the following link:

    http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27268

Fixed Software

  • When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

    This vulnerability is first fixed in Cisco Prime Data Center Network Manager release 6.1(2).

    Cisco Prime Data Center Network Manager can be downloaded from the Software Center on Cisco.com by visiting http://www.cisco.com/cisco/software/navigator.html and navigating to Products > Cloud and Systems Management > Data Center Infrastructure Management > Cisco Prime Data Center Network Manager.

Exploitation and Public Announcements

  • The Cisco Product Security Incident Response Team (PSIRT) is not aware of malicious use of the vulnerability that is described in this advisory.

    The Metasploit framework has an exploit module (Jboss_maindeployer) that would exploit the JBoss configuration that caused this vulnerability.

    This vulnerability was reported to Cisco by Paul O'Grady of Security Compass (www.securitycompass.com). Cisco would like to thank Mr. O'Grady for reporting this vulnerability to us and for working with us towards coordinated disclosure of the vulnerability.

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Action Links for This Advisory

Related to This Advisory

URL

Revision History

  • Revision 2.0 2013-May-08 Updated advisory to indicate that the DCNM LAN server component of DNCM is also affected by this vulnerability. Added corresponding Cisco bug ID CSCua31204 and updated fixed software.
    Revision 1.0 2012-October-31 Initial public release.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started