Critical Vulnerabilities in Cisco Products (CVE-2019-15975, CVE-2019-15976, CVE-2019-15977)

Published on 07 Jan 2020

Updated on 11 Jan 2020

UPDATED 11 Jan 2020: Cisco has released security updates to address other vulnerabilities found in Cisco products, with two being identified as high severity (CVE-2019-16005 in Cisco Webex Video Mesh and CVE-2019-16009 in Cisco IOS or Cisco IOS XE). Refer to Recommendations for more details.


Background
Cisco has released security updates to address vulnerabilities found in multiple Cisco products.

Three high-severity vulnerabilities were identified and they require immediate attention. The vulnerabilities are:

  • CVE-2019-15975 & CVE-2019-15976 - These vulnerabilities in Cisco Data Center Network Manager (DCNM) exist because of the presence of a static encryption key, which could be used to access Application Programming Interfaces (APIs).
  • CVE-2019-15977 - A vulnerability in the web-based management interface of Cisco DCNM exists because of the presence of static credentials.

Affected Products
These vulnerabilities affect products running vulnerable software releases of:
  • Cisco DCNM releases earlier than 11.3(1)

Impact
Successful exploitation of these vulnerabilities could allow an attacker to gain administrative access and obtain confidential information from an affected device to conduct further attacks.

Recommendations
Users and system administrators of the affected products are advised to install the latest security updates available immediately.  More details on the security alerts can be found at https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir#~Vulnerabilities

References
https://tools.cisco.com/security/center/publicationListing.x