Cisco plugs critical flaws in DNA Center and Prime Infrastructure

A new batch of vulnerabilities in various Cisco products has been fixed, three of which are critical.

Cisco DNA Center vulnerabilities

Two vulnerabilities affect Cisco Digital Network Architecture (DNA) Center and were discovered by the company during internal security testing.

CVE-2018-15386 is due to an insecure default configuration of the affected system. Unauthenticated, remote attackers could exploit it by directly connecting to the exposed services, and would then be able to retrieve and modify critical system files.

It affects Cisco DNA Center Release 1.1. There are no workarounds, so Cisco recommends users to upgrade to Release 1.2 and later.

CVE-2018-0448 is due to insufficient security restrictions for critical management functions. Unauthenticated, remote attackers could exploit it by sending a valid identity management request to the affected system (authentication bypass), and would then be able to view and make unauthorized modifications to existing system users as well as create new users.

It affects Cisco DNA Center prior to Release 1.1.4. There are no workarounds, so Cisco recommends users to upgrade to Release 1.1.4 and later.

There is no indication that either of these vulnerabilities is under active exploitation.

Cisco Prime Infrastructure flaw

CVE-2018-15379 is a combination of two vulnerabilities that make the HTTP web server for Cisco Prime Infrastructure (PI) have unrestricted directory permissions.

It was discovered by independent security researcher Pedro Ribeiro who reported it to Beyond Security’s SecuriTeam Secure Disclosure (SSD) program.

Cisco says that by exploiting the vulnerability, an unauthenticated, remote attacker could upload an arbitrary file to the vulnerable sistem, and this would allow the attacker to execute commands at the privilege level of the user prime, which does not have administrative or root privileges.

The company advises users to upgrade to Release 3.3.1 Update 02 or 3.4.1, or to employ the following workaround: disable TFTP for Cisco PI and switch to using a secure protocol such as Secure Copy Protocol (SCP) or SFTP for internal operations (e.g., image transfer, configuration, archives).

SSD, on the other hand, says that Cisco’s fix “only addresses the file uploading part of the exploit, not the file inclusion, the ability to execute arbitrary code through it or the privileges escalation issue that the product has.”

According to them, root access can be achieved. In the advisory, they’ve also published a working exploit/Metasploit module.

Again, there is no indication that CVE-2018-15379 is being exploited in the wild, but since the exploit is now available, users would do well to implement the updates or workaround sooner rather than later.