CISCO Prime Opened Vulnerable to RCE
A series of vulnerabilities in the web interface of Cisco Prime opened servers to RCE attacks.
Cisco Prime is a network management service that provides tools for provisioning, monitoring, optimizing, and troubleshooting wired and wireless devices.
The main culprit in the Cisco Prime vulnerability is a XSS that is exploited through SNMP, the protocol used to discover devices in a network. A lot of vendors apparently don’t consider SNMP devices being a potential attack vector, so sanitizing input data from those potential malicious devices.
Cisco Prime sends SNMP requests to gather information about devices present in the network. Among the information network devices provide is the address for an image file.
When the server’s admin navigated to Prime’s device discovery page, the malicious script was loaded and run in the browser, resulting in an XSS attack.
Through the XSS, the researchers were able to exploit a series of other vulnerabilities in sequence.
The first vulnerability was an unprotected session ID cookie stored in LocalStorage, which enabled them to hijack the active administrator session. With the stolen administrator token, they next tried to submit commands to Prime’s management interface.
Like most web applications, Prime’s management interface prevents such commands through anti-CSRF tokens. But by probing Prime’s development tools, discovered a function that generated the tokens, making it possible to bypass the CSRF protections.
A second vulnerability enabled them to do path traversal and place the script in a system directory of their choosing.Finally, by executing the JSP file, they were able to open a reverse shell to one of their devices that was listening on the network.
The findings highlight some key gaps in securing web applications. The researchers also warned about the perils of underestimating minor vulnerabilities.