Cisco Device Manager Command Execution Vulnerability

Advisory ID: cisco-sa-20130424-fmdm

Revision 1.0

For Public Release 2013 April 24 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco Device Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary 
commands on a client host with the privileges of the user. This vulnerability affects Cisco Device Manager for the 
Cisco MDS 9000 Family and Cisco Nexus 5000 Series Switches when it is installed or launched via the Java Network Launch 
Protocol (JNLP) on a host running Microsoft Windows.

Cisco Device Manager installed or launched from Cisco Prime Data Center Network Manager (DCNM) or Cisco Fabric Manager 
is not affected. This vulnerability can only be exploited if the JNLP file is executed on systems running Microsoft 
Windows. The vulnerability affects the confidentiality, integrity, and availability of the client host performing the 
installation or execution of Cisco Device Manager via JNLP file. There is no impact on the Cisco MDS 9000 Family or 
Cisco Nexus 5000 Series Switches.

Cisco has released free software updates that address this vulnerability in the Cisco Device Manager for Cisco MDS 9000 
Family Switches. Cisco Nexus 5000 Series Switches have discontinued the support of the Cisco Device Manager 
installation via JNLP and updates are not available.

Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-fmdm