Cisco Device Manager Command Execution Vulnerability (cisco-sa-20130424-fmdm)

high Nessus Plugin ID 66699

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

Cisco Device Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on a client host with the privileges of the user. This vulnerability affects Cisco Device Manager for the Cisco MDS 9000 Family and Cisco Nexus 5000 Series Switches when it is installed or launched via the Java Network Launch Protocol (JNLP) on a host running Microsoft Windows. Cisco Device Manager installed or launched from Cisco Prime Data Center Network Manager (DCNM) or Cisco Fabric Manager is not affected. This vulnerability can only be exploited if the JNLP file is executed on systems running Microsoft Windows. The vulnerability affects the confidentiality, integrity, and availability of the client host performing the installation or execution of Cisco Device Manager via JNLP file. There is no impact on the Cisco MDS 9000 Family or Cisco Nexus 5000 Series Switches. Cisco has released free software updates that address this vulnerability in the Cisco Device Manager for Cisco MDS 9000 Family Switches. Cisco Nexus 5000 Series Switches have discontinued the support of the Cisco Device Manager installation via JNLP and updates are not available. Workarounds that mitigate this vulnerability are available.

Solution

Apply the relevant patch referenced in Cisco Security Advisory cisco-sa-20130424-fmdm.

See Also

http://www.nessus.org/u?b87aa0dd

Plugin Details

Severity: High

ID: 66699

File Name: cisco-sa-20130424-fmdm-nxos.nasl

Version: 1.7

Type: combined

Family: CISCO

Published: 5/31/2013

Updated: 10/29/2019

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:cisco:nx-os

Required KB Items: Host/Cisco/NX-OS/Version, Host/Cisco/NX-OS/Device, Host/Cisco/NX-OS/Model, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 4/24/2013

Vulnerability Publication Date: 4/24/2013

Reference Information

CVE: CVE-2013-1192

BID: 59449

CISCO-SA: cisco-sa-20130424-fmdm

CISCO-BUG-ID: CSCty17417