Critical flaw in the Cisco Prime Infrastructure leads to arbitrary file Upload and command execution

November 2, 2018

Cisco Prime Infrastructure:

Cisco Prime Infrastructure simplifies the management of wireless and wired networks.   This single, unified solution provides wired and wireless lifecycle management, and application visibility and control. It also offers policy monitoring and troubleshooting with the Cisco Identity Services Engine (ISE) and location-based tracking of mobility devices with the Cisco Mobility Services Engine (MSE). You can manage the network, devices, applications, and users – all from one place.

Vulnerability | Arbitrary File Upload and Command Execution:

CVE-2018-15379 – HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions allowing an unauthenticated, remote attacker to upload an arbitrary file. This file can later be executed by the attacker at the privilege level of the user. The vulnerability is due to incorrect permission setting for system directories. An attacker could exploit this vulnerability by uploading a malicious file using TFTP ( Trivial File Transfer Protocol), which can later be accessed via the web-interface. Successful exploitation could result in the execution of arbitrary code in the context of the prime user.

Technical Details:

Most web applications running on the Cisco Prime Infrastructure (CPI)  virtual appliance are deployed under ‘/opt/CSCOlumos/apache-tomcat-<Version>/webapps’. Since the autoDeploy parameter in the Tomcat server.xml for CPI is set to true for the default virtual host, any directory within the “webapps” directory will be deployed as a web application. One of these applications is “swimtemp”, which symlinks to /localdisk/tftp which is where files uploaded by TFTP are located.

rwxrwxrwx. 1 root admin  swimtemp -> /localdisk/tftp/

The TFTP server in Cisco Prime Infrastructure will by default allow uploads and due to the fact that TFTP has no login or access control mechanisms, any user with network connectivity to the TFTP port may upload arbitrary files. Files uploaded via TFTP are placed in the  directory ‘/localdisk/tftp’.

As a result, an attacker can upload a malicious file using a tftp client to the ‘/localdisk/tftp/’ directory. The malicious file will be available at https://<IP>/swimtemp/<web shell>. Attacker can then visit this URI to execute the code in the context of the “prime” user, which is an unprivileged user that runs the Apache Tomcat server.

Affected Products:

Cisco Prime Infrastructure 3.2 and later

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • IPS: 13851 Cisco Prime Infrastructure TFTP Arbitrary File Upload 2Cisco Prime Infrastructure TFTP Arbitrary File Upload 1
  • IPS: 13852 Cisco Prime Infrastructure TFTP Arbitrary File Upload 2Cisco Prime Infrastructure TFTP Arbitrary File Upload 2