CVE-2017-6639

HPE Security Bulletin HPESB3P03762 1

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the role-based access control (RBAC) functionality of Cisco Prime Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to access sensitive information or execute arbitrary code with root privileges on an affected system. The vulnerability is due to the lack of authentication and authorization mechanisms for a debugging tool that was inadvertently enabled in the affected software. An attacker could exploit this vulnerability by remotely connecting to the debugging tool via TCP. A successful exploit could allow the attacker to access sensitive information about the affected software or execute arbitrary code with root privileges on the affected system. This vulnerability affects Cisco Prime Data Center Network Manager (DCNM) Software Releases 10.1(1) and 10.1(2) for Microsoft Windows, Linux, and Virtual Appliance platforms. Cisco Bug IDs: CSCvd09961.

Una vulnerabilidad en la funcionalidad role-based access control (RBAC) de Prime Data Center Network Manager (DCNM) de Cisco, podría permitir a un atacante remoto no identificado acceder a información confidencial o ejecutar código arbitrario con privilegios root en un sistema afectado. La vulnerabilidad es debido a la falta de mecanismos de identificación y autorización para una herramienta de depuración que se habilitó inadvertidamente en el software afectado. Un atacante podría explotar esta vulnerabilidad mediante la conexión remota a la herramienta de depuración por medio de TCP. Una explotación con éxito podría permitir al atacante acceder a información confidencial sobre el software afectado o ejecutar código arbitrario con privilegios root en el sistema afectado. Esta vulnerabilidad afecta al Programa Prime Data Center Network Manager (DCNM) de Cisco versiones 10.1(1) y 10.1(2) para plataformas de Microsoft Windows, Linux y Virtual Appliance. ID de bug de Cisco: CSCvd09961.

HPE StoreFabric C-series Switch Software uses Ciscos Prime Data Center Network Manager (DCNM). Cisco has identified a remote code execution vulnerability in two versions of Cisco Prime Data Center Network Manager (DCNM) which HPE had included for download for customers under contract from the HPE Support Center. The affected versions of DCNM are 10.1(1) and 10.1(2). HPE bundled these DCNM versions with the following MDS and Nexus firmware downloads: * MDS 7.3(0)DY(1), released February 2017 * MDS 7.3(1)DY(1), released April 2017 * Nexus 5.2(1)N1(9b), released May 2017 **Note:** A vulnerability in the role-based access control (RBAC) functionality of Cisco Prime Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to access sensitive information or execute arbitrary code with root privileges on an affected system. The vulnerability is due to the lack of authentication and authorization mechanisms for a debugging tool that was inadvertently enabled in the affected software. An attacker could exploit this vulnerability by remotely connecting to the debugging tool via TCP. A successful exploit could allow the attacker to access sensitive information about the affected software or execute arbitrary code with root privileges on the affected system. Revision 1 of this advisory.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-03-09 CVE Reserved
2017-06-08 CVE Published
2024-08-05 CVE Updated
2025-04-06 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-16: Configuration
CWE-862: Missing Authorization

CAPEC

References (4)

URL	Tag	Source
http://www.securityfocus.com/bid/98935	Third Party Advisory
http://www.securitytracker.com/id/1038626	Vdb Entry
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesb3p03762en_us	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm1	2019-10-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Prime Data Center Network Manager Search vendor "Cisco" for product "Prime Data Center Network Manager"				10.1\(1\) Search vendor "Cisco" for product "Prime Data Center Network Manager" and version "10.1\(1\)"		-		Affected
Cisco Search vendor "Cisco"		Prime Data Center Network Manager Search vendor "Cisco" for product "Prime Data Center Network Manager"				10.1\(2\) Search vendor "Cisco" for product "Prime Data Center Network Manager" and version "10.1\(2\)"		-		Affected
Cisco Search vendor "Cisco"		Prime Data Center Network Manager Search vendor "Cisco" for product "Prime Data Center Network Manager"				10.1.0 Search vendor "Cisco" for product "Prime Data Center Network Manager" and version "10.1.0"		-		Affected