Cisco Systems patched three bugs on Wednesday that are rated critical, tied to its Digital Network Architecture (DNA) Center platform.

Cisco also warned of four additional vulnerabilities – each rated high. All of the vulnerabilities have available patches for mitigation.

All three of the critical vulnerabilities received a Common Vulnerability Scoring System rating of 10, the highest possible warning. Each could allow an unauthenticated and remote attacker to bypass Cisco’s authentication checks and attack core functions of the DNA platform, which was introduced in 2016. DNA has been touted as a move away from the company’s hardware-centric business towards one more reliant on software and services; it’s an open, software-driven architecture focused on automation, virtualization, analytics and managed services.

One of the critical bugs (CVE-2018-0271) “could allow an unauthenticated, remote attacker to bypass authentication and access critical services,” according to Cisco. “The vulnerability is due to a failure to normalize URLs prior to servicing requests. An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue. A successful exploit could allow the attacker to gain unauthenticated access to critical services, resulting in elevated privileges in DNA Center.”

A second critical vulnerability (CVE-2018-0222) could allow an unauthenticated, remote attacker to log in Cisco’s DNA services using an administrative account that has default and static user credentials.

“The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software,” Cisco wrote. “A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands with root privileges.”

Lastly, Cisco is warning of a critical, unauthorized access flaw (CVE-2018-0268) that could allow a successful adversary to completely compromise of a targeted Kubernetes container management subsystem within DNA Center.

As for the vulnerabilities rated high, these include a Linux shell access vulnerability (CVE-2018-0279) tied to Cisco’s network function virtualization infrastructure software; a cross-site forgery bug (CVE-2018-0270) in its IoT Field Network Director platform; a certificate validation bug (CVE-2018-0277) used in the company’s Identity Services Engine; and a denial of service vulnerability (CVE-2018-0280) related to the Cisco Meeting Server.

Cisco credits its own security team for finding the bugs.

“NCCIC encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates,” wrote the United States National Cybersecurity and Communications Integration Center, in an alert released Wednesday regarding the bugs.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!