Cisco Security Advisory
Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability
Critical
Advisory ID:
cisco-sa-20121031-dcnm
First Published:
2012 October 31 16:00 GMT
Last Updated:
2013 May 8 16:00 GMT
Version 2.0:
Workarounds:
Cisco Bug IDs:
CVSS Score:
Base 10.0,
Temporal 8.3
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
-
Cisco Prime Data Center Network Manager (DCNM) contains a remote command execution vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the computer that is running the Cisco Prime DCNM application.
Cisco has released software updates that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121031-dcnm
Note: After this advisory was initially published, it was found that in addition to the DCNM SAN server component that is part of the DCNM solution, the DCNM LAN server is also affected by the same vulnerability. This advisory has been updated to revision 2.0 to indicate that the DCNM LAN server component is also vulnerable, to provide the Cisco bug ID that tracks the vulnerability in the DCNM LAN server component, and to update fixed software information.
-
Vulnerable Products
All Cisco Prime Data Center Network Manager (DCNM) releases prior to release 6.1(2), for both the Microsoft Windows and Linux platforms, are affected by this vulnerability. Both the Cisco DCNM-LAN Server and Cisco DCNM-SAN Server, which are part of the Cisco Prime DCNM solution, are affected by this vulnerability.
Note: Cisco DCNM-LAN Server and Cisco DCNM-SAN Server were different products until release 6.1(1), when both products converged into a single Cisco Prime DCNM product. All releases of Cisco DCNM-LAN Server and Cisco DCNM-SAN are affected by this vulnerability.
To determine the Cisco Prime DCNM release that is running, administrators can connect to the computer that runs the Cisco Prime DCNM software using a web browser and HTTPS; the release number will be displayed in the login page, before logging in. The following example shows a device running version 6.1(1a):Cisco Prime Data Center Network Manager Version: 6.1(1a)
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this vulnerability.
-
Cisco Prime DCNM, previously known as Cisco Data Center Network Manager, is a network management application that combines the management of Ethernet and storage networks into a single dashboard to help network and storage administrators manage and troubleshoot health and performance across different families of Cisco products that run Cisco NX-OS Software.
Cisco Prime DCNM, both the Cisco DCNM-LAN Server and the Cisco DCNM-SAN Server components, running versions prior to 6.1(2) contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system that hosts the Cisco Prime DCNM application.
The vulnerability exists because JBoss Application Server Remote Method Invocation (RMI) services, specifically the jboss.system:service=MainDeployer functionality, are exposed to unauthorized users. An unauthenticated, remote attacker could exploit this vulnerability by sending arbitrary commands via RMI services. An exploit could allow the attacker to execute arbitrary commands on the device.
Commands are executed in the context of the System user for Cisco Prime DCNM running on Microsoft Windows or the root user for Cisco Prime DCNM running on Linux.
Cisco Prime DCNM uses TCP port 1099 or 9099, depending on the Cisco Prime DCNM version, for the RMI registry function. An RMI transaction always starts with a TCP connection to the RMI registry port.
This vulnerability has been documented in Cisco bug IDs CSCtz44924 (registered customers only) and CSCua31204 (registered customers only), for the Cisco DCNM-SAN Server and the Cisco DNCM-LAN Server components, respectively, and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2012-5417.
-
Because RMI transactions start with a connection to the RMI registry port, which by default is TCP port 1099 or 9099 depending on the Cisco Prime DCNM version, allowing only legitimate devices to connect to the RMI registry port can mitigate this vulnerability.
Additional mitigations that can be deployed on Cisco devices within the network are available in the companion document "Identifying and Mitigating Exploitation of the Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability," which is available at the following link:
https://sec.cloudapps.cisco.com/security/center/viewAMBAlert.x?alertId=27268
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
This vulnerability is first fixed in Cisco Prime Data Center Network Manager release 6.1(2).
Cisco Prime Data Center Network Manager can be downloaded from the Software Center on Cisco.com by visiting http://www.cisco.com/cisco/software/navigator.html and navigating to Products > Cloud and Systems Management > Data Center Infrastructure Management > Cisco Prime Data Center Network Manager.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of malicious use of the vulnerability that is described in this advisory.
The Metasploit framework has an exploit module (Jboss_maindeployer) that would exploit the JBoss configuration that caused this vulnerability.
This vulnerability was reported to Cisco by Paul O'Grady of Security Compass (www.securitycompass.com). Cisco would like to thank Mr. O'Grady for reporting this vulnerability to us and for working with us towards coordinated disclosure of the vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 2.0 2013-May-08 Updated advisory to indicate that the DCNM LAN server component of DNCM is also affected by this vulnerability. Added corresponding Cisco bug ID CSCua31204 and updated fixed software. Revision 1.0 2012-October-31 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.