Cisco has released a security advisory about a critical flaw in its Nexus Dashboard Fabric Controller (NDFC), which could allow a remote, authenticated attacker with low privileges to carry out a command injection attack on affected systems.
The issue stems from inadequate user authorization and improper validation of command inputs.
Vulnerability Details
Attackers can exploit the vulnerability by submitting specially crafted commands through an affected REST API endpoint or the web UI. Successful exploitation would enable the attacker to execute arbitrary commands on the CLI of a Cisco NDFC-managed device with network-admin privileges.
It’s important to note that the vulnerability does not impact Cisco NDFC when used in a storage area network (SAN) controller deployment.
Cisco has released a security advisory about a critical flaw in its Nexus Dashboard Fabric Controller (NDFC), which could allow a remote, authenticated attacker with low privileges to carry out a command injection attack on affected systems.
The issue stems from inadequate user authorization and improper validation of command inputs.
Vulnerability Details
Attackers can exploit the vulnerability by submitting specially crafted commands through an affected REST API endpoint or the web UI. Successful exploitation would enable the attacker to execute arbitrary commands on the CLI of a Cisco NDFC-managed device with network-admin privileges.
It’s important to note that the vulnerability does not impact Cisco NDFC when used in a storage area network (SAN) controller deployment.
Affected Products
- Vulnerable: Cisco Nexus Dashboard Fabric Controller
- Not Vulnerable: Cisco NDFC for SAN controller deployment, Nexus Dashboard Insights, Nexus Dashboard Orchestrator (NDO)
Cisco has released free software updates to address the issue, and customers with service contracts should obtain these updates through their usual channels. No workarounds are available for this vulnerability.
Fixed Software Versions:
- Cisco NDFC versions 11.5 and earlier: Not vulnerable
- Cisco NDFC version 12.0: Fixed in Release 12.2.2
- Cisco Nexus Dashboard version 3.2(1e): Contains Cisco NDFC Release 12.2.2
Customers are encouraged to upgrade to these fixed versions to reduce the risk of exploitation.
For customers without service contracts, Cisco recommends contacting the Cisco Technical Assistance Center (TAC) for help in obtaining the necessary updates. While there have been no known reports or public exploits of the vulnerability, Cisco’s Product Security Incident Response Team (PSIRT) is closely monitoring the situation.
Stay vigilant by regularly checking Cisco’s security advisories and applying updates as soon as possible.
