Cisco DCNM Update Released

Published: 2013-09-18. Last Updated: 2013-09-18 17:27:21 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

We continue to see web applications deployed to manage datacenter functions.  And I'm sorry to say, we continue to see security issues in these applications - some of them so simple a quick run-through with Burp or ZAP would red-flag them.

In that theme, today Cisco posts updates to DCNM (Cisco Prime Data Center Network Manager).  The issues resolved are not so simple as I describe above (they are more complex than a simple scan to detect or exploit), but they do involve remote command execution and authentication bypass - two things most folks should have problems with in a Data Center Network Manager.

The advisory is here ==> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm

As per usual, a valid service contract is required to obtain the update.  My clients do have Cisco contracts, but I'm not sure how thrilled I am that you need to pay maintenance to fix security issues so fundamental.

===============
Rob VandenBrink
Metafore

1 comment(s)

Comments

Contrary to the writeup in this posting the update appears to be available for free. If you look at the text on obtaining fixed software in the link in the article you'll see "Cisco has released free software updates that address the vulnerability described in this advisory." This text occurs in all Cisco vulnerability announcements and, though I have not tried to leverage it myself as my equipment is under contract, I understand from others that you can obtain a fix this way.

Diary Archives