More than a hundred vulnerabilities were found by security researcher Steven Seeley of Source Incite, which let hackers potentially bypass the Cisco Data Center Network Manager (DCNM).
The security errors basically allow hackers to waltz into the data centre systems and access even hard-coded credentials. According to Tenable, researchers were able to analyze three major and critical bugs that “are authentication bypass vulnerabilities in the REST API and SOAP API endpoints for Cisco DCNM due to the existence of a static encryption key shared between installations.”
In addition to accessing encrypted data, security errors can also execute arbitrary actions with administrative privileges.
The Cisco DCNM software release 11.3 for Microsoft Linux, Windows, and virtual appliance platforms are affected.
Given the large scope of the vulnerabilities, the company was under attack by security experts. Security specialist from Australia said, “[Cisco] is literally the worst, they could be [providing an attacker with] authenticated remote code execution as root. A hacker could access anything, credentials, etc.”
Meanwhile, earlier this week, Cisco confirmed that they already patched the bugs in the DCNM saying, they’ve created management solutions for all NX-OS networks. This network spans to all LAN fabrics, SAN, and IP Fabric for Media networking.
Cisco also fixed flaws of lesser severity, which is another component tied up to the DCNM. The new software update contained all the patches to fix the major bugs. Customers are urged to uninstall the software and install the latest version.
Patch Delay
SecureData expert Car Morris reiterated that Cisco has a history of delaying patches, which can affect its customers. In his words, “Cisco issues security updates that remove static keys or hardcoded credentials. This type of security flaw speaking in the most flattering terms equates to extreme laziness and negligence from a software development and quality assurance point of view.”
The said negligence serves as problematic, especially when there is a long delay in the availability of the patch. This type of cyberconflict increases further if the software provider cannot fix the problem. “Smaller nation states can launch cyber attacks against businesses, normally protected by their military in an armed conflict,” said Morris.
Cisco Systems is an American multinational tech company that sells networking hardware, telecommunications equipment, and software. The critical bugs on the DCNM software were found in the first week of January this year.
