Intrusion Prevention

Java.Debug.Wire.Protocol.Insecure.Configuration

Description

This indicates an attempt to use Java Debug Wire Protocol (JDWP) to access remote debugging.
JDWP allows remote debugging of Java virtual machine. However this protocol does not authenticate users and is insecure. Attackers can use JDWP to do command injection. The JDWP service port should never be exposed to the public.
This signature can detect attempts to exploit a Remote Code Execution Vulnerability in Cisco Prime Data Center Network Manager. A vulnerability in the role-based access control (RBAC) functionality of Cisco Prime Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges on an affected system. The vulnerability is due to a lack of authentication and exposing JDWP service port to the public.

Affected Products

Any servers with JDWP service port exposed to the public are vulnerable
Cisco Prime Data Center Network Manager 10.1(2)
Cisco Prime Data Center Network Manager 10.1(1)
Cisco MDS 9500 Series Multilayer Directors 10.1(2)
Cisco MDS 9500 Series Multilayer Directors 10.1(1)ST(1)
Cisco MDS 9500 Series Multilayer Directors 10.1(1)S5

Impact

System Compromise: Remote attackers can gain control of vulnerable systems.

Recommended Actions

Close the JDWP service port.
Apply the latest update from the vendor
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm1

CVE References

CVE-2017-6639