Cisco DNA Center Bug Opens Enterprises to Remote Attack | Threatpost

The high-severity security vulnerability (CVE-2021-1257) allows cross-site request forgery (CSRF) attacks.

A cross-site request forgery (CSRF) vulnerability in the Cisco Digital Network Architecture (DNA) Center could open enterprise users to remote attack and takeover.

The flaw, tracked as CVE-2021-1257, exists in the web-based management interface of the Cisco DNA Center, which is a centralized network-management and orchestration platform for Cisco DNA. It carries a CVSS vulnerability-severity score of 7.1, making it high-severity.

Cisco DNA is the networking giant’s software-defined approach for aligning campus, branch, WAN and remote-worker elements of enterprise networks. The DNA Center allows admins to provision and configure all network devices, and it uses artificial intelligence (AI) and machine learning (ML) to proactively monitor, troubleshoot and optimize networks. It also integrates with third-party systems. In short, the DNA Center allows deep reach and visibility into an organization’s network, all from one point of entry.



The web-based management interface used for accessing and using the Cisco DNA Center has insufficient CSRF protections in software versions prior to 2.1.1.0. The patch issued today addresses the problem.

CSRF is an attack that forces an end user to execute unwanted actions on a web application in which the person is currently authenticated. Thus, the bug could allow an unauthenticated, remote attacker to “conduct an attack to manipulate an authenticated user into executing malicious actions without their awareness or consent,” according to Cisco’s advisory, issued on Monday.

An attacker could exploit the vulnerability by socially engineering a web-based management user into following a specially crafted link, say via a phishing email or chat. If the user clicks on the link, the attacker can then perform arbitrary actions on the device with the privileges of the authenticated user.

These actions include modifying the device configuration, disconnecting the user’s session and executing Command Runner commands, Cisco noted.

This vulnerability is fixed in Cisco DNA Center Software releases 2.1.1.0, 2.1.2.0, 2.1.2.3 and 2.1.2.4, and later. Cisco credited Benoit Malaboeuf and Dylan Garnaud from Orange for reporting the bug. vulnerability.

More 2021 Cisco Security Bugs
This is just the latest concerning security vulnerability for Cisco this year. Last week, it warned of multiple, critical vulnerabilities in its SD-WAN solutions and DNA Center, among others.

One critical-severity flaw (CVE-2021-1299) exists in the web-based management interface of Cisco SD-WAN vManage software. The bug (which ranks 9.9 out of 10 on the CVSS scale) could allow an authenticated, remote attacker to gain root-level access to an affected system and execute arbitrary commands as the root user on the system.

A second critical flaw is CVE-2021-1300, which ranks 9.8 out of 10 on the CVSS scale, could allow an attacker to execute arbitrary code on the underlying operating system with root privileges.

And, a critical-severity flaw was found in the Command Runner tool of Cisco DNA Center (CVE-2021-1264), which ranks 9.6 out of 10 on the CVSS scale. A successful exploit could allow the attacker to execute arbitrary CLI commands on devices managed by Cisco DNA Center, according to Cisco.

Earlier in January, Cisco fixed high-severity flaws tied to 67 CVEs overall, including ones found in its AnyConnect Secure Mobility Client and in its RV110W, RV130, RV130W and RV215W small-business routers.

The most serious flaw (CVE-2021-1144) afflicted Cisco Connected Mobile Experiences (CMX), a software solution that is utilized by retailers to provide business insights or on-site customer experience analytics. The solution uses the Cisco wireless infrastructure to collect a treasure trove of data from the retailer’s Wi-Fi network, including real-time customer-location tracking. The high-severity issue (8.8 out of 10 on the CVSS vulnerability-severity scale) could allow an authenticated attacker to impersonate any user on the system.