Public Exploit Modules Available for Cisco Prime Infrastructure Vulnerability
Users of Cisco Prime Infrastructure Software are urged to update to the latest version to address one of two vulnerabilities that, when chained, could lead to remote code execution with system-level permissions.
Background
Cisco released an advisory for CVE-2018-15379, an arbitrary file upload and command execution vulnerability for its Cisco Prime Infrastructure (CPI) software. The CPI management software is designed to allow businesses to manage their network device configurations all in one place, rather than individually by device. CPI also offers integration with Cisco Identity Services Engine (ISE) and location-based tracking through the Cisco Mobility Services Engine (MSE).
Vulnerability details
The CPI management tool has two vulnerabilities that, when exploited in tandem, could allow remote code execution. Pedro Ribeiro of Agile Information Security released a Proof of Concept (PoC) that outlines exploitation in greater detail. The researcher also states that exploit modules are publicly available for this vulnerability.
An attacker can first upload a JavaServer Page (JSP) web shell file using a Trivial File Transfer Protocol (TFTP) client to the /localdisk/tftp/ directory through the default TFTP port (port 69) to gain a shell as the "prime" user, which is unprivileged. From there, an attacker can inject commands through an unsanitized portion of the /opt/CSCOlumos/bin/runrshell binary to gain root access in their open shell.
Tenable researchers were also easily able to establish a web shell that accepted command input on a CPI target running version 3.2 in our lab. A standard id command displayed the status of the current user:
However, the privilege escalation can be easily demonstrated with this command:
Urgently required actions
Cisco has available workarounds, such as disabling the TFTP server listed in their advisory. However, we suggest updating to the fixed version (3.4.1) provided by Cisco. An important note is that this fix only addresses the TFTP file upload vulnerability. If an attacker were to gain access to the host in some other fashion that allows them to invoke the unsanitized binary, then the code execution vulnerability would still be exploitable.
Instructions for updating Cisco Prime Infrastructure Software are included in the advisory.
Identifying affected systems
A list of Nessus plugins to identify this vulnerability can be found here.
Get more information
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Related Articles
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Cybersecurity Snapshot: U.S. Gov’t Unpacks AI Threat to Banks, as NCSC Urges OT Teams to Protect Cloud SCADA Systems
March 29, 2024Check out new guidance for banks on combating AI-boosted fraud. Plus, how to cut cyber risk when migrating SCADA systems to the cloud. Meanwhile, why CISA is fed up with SQLi flaws. And best practices to prevent and respond to DDoS attacks. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
- Vulnerability Management