Cisco has patched a critical authentication bypass vulnerability that could allow attackers to completely take over Cisco Prime Home installations, and through them mess with subscribers’ home network and devices.
Cisco Prime Home is a cloud-based network management platform used by service providers to simplify the remote management and provisioning of subscribers’ home network and all TR-069-compliant in-home devices connected to it (residential gateways, IP set-top boxes, femtocells, IP phones, and so on).
It can also provide certain services to some non-TR-069 devices, such as PCs or smartphones, by proxy through the residential gateway.
Cisco Prime Home vulnerability details
The vulnerability (CVE-2017-3791), found internally by Cisco security testers, affects the platform’s web-based GUI, and can be exploited by remote attackers to bypass authentication and execute any action in Cisco Prime Home with administrator privileges.
No user interaction is needed for the exploit to work, and exploitation couldn’t be simpler: an attacker just needs to send API commands via HTTP to a particular URL.
Update as soon as possible
There is no indication that the flaw is being exploited in attacks in the wild. But, as there is no workaround for plugging the hole, service providers who have chosen to deploy the platform on their own network instead of hosting it with Cisco are urged to migrate to version 126.96.36.199 as soon as possible.
The bug exists in versions 6.4 and later of Cisco Prime Home, but does not affect versions 5.2 and earlier.
“Administrators can verify whether they are running an affected version by opening the Prime Home URL in their browser and checking the Version: line in the login window. If currently logged in, the version information can be viewed in the bottom left of the Prime Home GUI footer, next to the Cisco Prime Home text,” Cisco instructed in the security advisory.
Three months ago Cisco squashed a very similar bug in Cisco Prime Home.