Cisco warns of critical bugs in DNA center

Cisco released a list of 16 security advisories on May 16, including three critical flaws in Digital Network Architecture (DNA) Center that rated a 10/10 on the CVSS (Common Vulnerability Scoring System) scale platform that could allow an attacker to seize complete administrative control. Cisco Systems patched the bug on Wednesday.

One of the three, logged as CVE-2018-0222, is caused by DNA Center having default and static administrative account credentials, which an attacker could use to log into an affected system and execute commands with root privileges.

One of the critical bugs “Could allow an unauthenticated, remote attacker to bypass authentication and access critical services,” according to Cisco. “The vulnerability is due to a failure to normalize URLs prior to service requests. An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue. A successful exploit could allow the attacker to gain unauthenticated access to critical services, resulting in elevated privileges in DNA Center.”

Cisco also warned of four additional vulnerabilities – each rated high. All of the vulnerabilities have available patches for mitigation.

Each could allow an unauthenticated and remote attacker to bypass Cisco’s authentication checks and attack core functions of the DNA platform, which was introduced in 2016. DNA has been touted as a move away from the company’s hardware-centric business towards one more reliant on software and services; it’s an open, software-driven architecture focused on automation, virtualization, analytics and managed services.

The three critical flaws all give attackers elevated privileges that can compromise the entirety of the DNA Center but go about it in very different ways. One involves exploiting a hardcoded admin password, one attacks the Kubernetes port, and the third relies on a specially crafted URL not being normalized before DNA Center resolves a service request.

Cisco announced DNA Centre in the summer of 2017, offering customers network automation software and a centralized management interface for its “intent-based networking” system. Admins can use DNA Center to set policies for network segmentation, configure network infrastructure, and monitor network glitches. It ships as part of a dedicated appliance.