You are currently viewing CSRF and Command Runner Command Injection Vulnerabilities in Cisco DNA Center

CSRF and Command Runner Command Injection Vulnerabilities in Cisco DNA Center

  • Post author:
  • Reading time:5 mins read

The Cisco DNA Center software has been reported with a high-severity security vulnerability (CVE-2021-1257) that allows cross-site request forgery (CSRF) attacks. A vulnerability management software can help in detecting this high-severity vulnerability. Cisco credited the vulnerability report to Benoit Malaboeuf and Dylan Garnaud from Orange. Initial information regarding the vulnerability was released from Cisco on January 20, 2021.


Vulnerability details

Cisco DNA (Cisco Digital Network Architecture) is the management solution that makes the network simpler to manage. Agile and responsive to the business requirements. Cisco DNA Center is the network management and command center for Cisco DNA, allowing deep reach and visibility into an organization’s network from a single point of entry. The DNA Center allows admins to provision, configure all network devices. It also enables them to monitor, troubleshoot and optimize networks proactively. The vulnerability discovered in the Cisco DNA Center’s web-based management interface could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. Cross-site request forgery is a web application vulnerability that allows an attacker to induce users to perform actions they do not intend to perform. The CVE-2021-1257 CVSS 3.x Severity Base Score is 7.1, making it high-severity. A patch management tool can remediate this vulnerability.


Impact

The vulnerability arises due to the insufficient CSRF protections in the web-based management interface of Cisco DNA Center. In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. A remote attacker could trick the victim into visiting a specially crafted web page. A successful exploit could allow the attacker to gain full control over the user’s account and perform arbitrary actions on the device with the authenticated user’s privileges, including modifying the device configuration, disconnecting the user’s session, and executing Command Runner commands.  If the compromised user has a privileged role within the application, then the attacker might be able to take full control of all the application’s data and functionality.


Vulnerable software versions

This vulnerability affects Cisco DNA Center Software releases earlier than 2.1.1.0. Only these products affected by this vulnerability.


Fixed Releases

A fix for this vulnerability released in Cisco DNA Center Software releases *2.1.1.0, *2.1.2.0, *2.1.2.3, and 2.1.2.4 and later.


Command Runner Command Injection Vulnerability in Cisco DNA Center

Another critical vulnerability (CVE-2021-1264) in the Command Runner tool of Cisco DNA Center could allow an authenticated, remote attacker to perform a command injection attack. Command injection is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server running an application and typically fully compromises the application and all its data. The vulnerability was found during internal security testing, and details were first released by Cisco on January 20, 2021.


Vulnerability details and impact

The command runner is a standalone application in Cisco DNA Center. It is used as a part of assurance to run commands on Cisco DNA Center managed devices. The Command Runner application maintains a list of approved commands that executed on a managed device. The vulnerability arises due to insufficient input validation by the Command Runner tool. This vulnerability exploited by providing crafted input during command execution or via a crafted command runner API call. Additionally, an attacker could also exploit this command injection vulnerability to enter additional commands on the Cisco DNA Center managed device CLI or configuration CLI, bypassing the approved command list. The vulnerability is high-severity with a CVSS base score of 9.6.


Affected versions

Cisco DNA Center Software releases earlier than 1.3.1.0, and only these products by this vulnerability.


Fixed releases

This vulnerability fixed in Cisco DNA Center Software releases 1.3.1.0 and later.


Software security updates

There are no workarounds from Cisco that address the above-mentioned vulnerabilities. Customers expected to download software for which they have a valid license, procured from Cisco directly or through a Cisco authorized reseller or partner. Software update support from Cisco is exclusive for the software versions and feature sets purchased with a license. Cisco DNA Center Upgrade Guide

Since Cisco DNA Center comes as a dedicated physical appliance purchased from Cisco with the DNA Center ISO image preinstalled, the system updates are available for installation from the Cisco cloud and are not available for download from the Software Center on Cisco.com.