Cisco Prime Data Center Network Manager (DCNM) contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to disclose file components, and access text files on an affected device. Various components of Cisco Prime DCNM are affected. These vulnerabilities can be exploited independently on the same device; however, a release that is affected by one of the vulnerabilities may not be affected by the others. Cisco Prime DCNM is affected by the following vulnerabilities: Cisco Prime DCNM Information Disclosure Vulnerability Cisco Prime DCNM Remote Command Execution Vulnerabilities Cisco Prime DCNM XML External Entity Injection Vulnerability Cisco has released software updates that address these vulnerabilities. There are currently no workarounds that mitigate these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
All of the vulnerabilities included in this advisory are fixed in the Cisco Prime DCNM version 6.2(1) or later.The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
The Cisco Prime DCNM remote command execution vulnerabilities and the Cisco Prime DCNM information disclosure vulnerability were reported to Cisco by Andrea Micalizzi aka rgod working with HP's Zero Day Initiative.
The Cisco Prime DCNM XML external entity injection vulnerability was reported to Cisco by Ben Williams with NCC Group.
Cisco would like to thank these researchers for reporting these vulnerabilities to us and for working with us toward a coordinated disclosure of the vulnerabilities.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.2 | 2013-November-05 | Updated "Exploitation and Public Annoucements" section to include the name of the researcher working with the HP Zero Day Initiative. |
Revision 1.1 | 2013-September-19 | Reworded the vulnerable versions to be more concise. Updated "Software Versions and Fixes" section to clarify the fixed version. |
Revision 1.0 | 2013-September-18 | Initial public release |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.