Two severe security vulnerabilities (CVE-2018-0448, CVE-2018-15386) affecting Cisco’s Digital Network Architecture (DNA) Center software have been just patched. The DNA Center interface is used by network admins to add new devices to the network and manage them based on enterprise policies. The center is part of Cisco’s toolkit for internet-based networking.
More about CVE-2018-15386
This vulnerability could allow an unauthenticated, remote attacker to bypass authentication and have direct unauthorized access to critical management functions, Cisco explained. As already mentioned the flaw is rated critical and has a Common Vulnerability Scoring System (CVSS) v 3.0 rating of 9.8 out of 10, a quite high rating.
The vulnerability is due to an insecure default configuration of the affected system. An attacker could exploit this vulnerability by directly connecting to the exposed services. An exploit could allow the attacker to retrieve and modify critical system files.
The company has issued software updates that address CVE-2018-0448. Note that there are no workarounds that address the flaw, meaning that admins need to update to the latest released as soon as possible.
More about CVE-2018-0448
This is a vulnerability in the identity management service of Cisco Digital Network Architecture (DNA) Center. It affects all releases of Cisco DNA Center Software prior to Release 1.1.4. It could allow an unauthenticated, remote attacker to bypass authentication and take complete control of identity management functions, Cisco said.
The vulnerability is due to insufficient security restrictions for critical management functions. An attacker could exploit this vulnerability by sending a valid identity management request to the affected system.
In case of exploit, an attacker could be able to view and make unauthorized modifications to existing system users and also create new users.
The vulnerability has been addressed, with no possible workaround.
Fortunately, both vulnerabilities were unearthed during internal testing, and the company is not aware of any active exploits in the wild.
Both flaws were found during internal testing. Cisco is not aware of any exploits in the wild for the flaws.