CISCO Prime Opened Vulnerable to RCE

A series of vulnerabilities in the web interface of Cisco Prime opened servers to RCE attacks.

Cisco Prime is a network management service that provides tools for provisioning, monitoring, optimizing, and troubleshooting wired and wireless devices.

The main culprit in the Cisco Prime vulnerability is a XSS that is exploited through SNMP, the protocol used to discover devices in a network. A lot of vendors apparently don’t consider SNMP devices being a potential attack vector, so sanitizing input data from those potential malicious devices.

Advertisements

Cisco Prime sends SNMP requests to gather information about devices present in the network. Among the information network devices provide is the address for an image file.

The researchers placed a Linux-based device on the network and in its SNMP configuration file, they set the address of the image to a JavaScript snippet that loaded a malicious script hosted on a server they controlled.

When the server’s admin navigated to Prime’s device discovery page, the malicious script was loaded and run in the browser, resulting in an XSS attack.

Through the XSS, the researchers were able to exploit a series of other vulnerabilities in sequence.

The first vulnerability was an unprotected session ID cookie stored in LocalStorage, which enabled them to hijack the active administrator session. With the stolen administrator token, they next tried to submit commands to Prime’s management interface.

Like most web applications, Prime’s management interface prevents such commands through anti-CSRF tokens. But by probing Prime’s development tools, discovered a function that generated the tokens, making it possible to bypass the CSRF protections.