AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
-
A vulnerability in Cisco Prime Infrastructure could allow an authenticated, remote attacker to execute arbitrary commands with root-level privileges.
The vulnerability is due to improper validation of URL requests. An attacker could exploit this vulnerability by requesting an unauthorized command via a specific URL. Successful exploitation could allow an authenticated attacker to execute system commands with root-level privileges.
Cisco has released software updates that address this vulnerability. A software patch that addresses this vulnerability in all affected versions is also available. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140226-pi
-
Cisco Prime Infrastructure is a single integrated solution for comprehensive lifecycle management and application performance visibility that helps enable network managers to maintain, operate, and deliver applications and services that meet the demands for a quality end-user experience.
Cisco Prime Infrastructure Command Execution Vulnerability
A vulnerability in Cisco Prime Infrastructure could allow an authenticated, remote attacker to execute arbitrary commands with root-level privileges.
The vulnerability is due to improper validation of URL requests. An attacker could exploit this vulnerability by requesting an unauthorized command via a specific URL. Successful exploitation could allow an authenticated attacker to execute system commands with root-level privileges.
This vulnerability is documented in Cisco bug ID CSCum71308 (registered customers only) and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2014-0679.
-
Workarounds that mitigate this vulnerability are not available.
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Fixed Software
The following table provides information on the first release that fixed this vulnerability for each major version of Cisco Prime Infrastructure:
Major Version
First Fixed In
1.2
Upgrade to a fixed release of 1.3 or higher 1.3 1.3.0.20-2
1.4 1.4.0.45-2
2.0 2.0.0.0.294-2
For more information about upgrading Cisco Prime Infrastructure software, see the Readme for Installing Security Fix Software for the Cisco Prime Infrastructure Appliance.
Note: Customers that use Cisco Prime Infrastructure software version 1.2 can apply the patch below or upgrade to a fixed release of 1.3 or higher.
Example of Affected Version
To determine the version of software that is running on the device, administrators can issue the show version command from the command-line interface (CLI). The following output is from an affected device running Cisco Prime Infrastructure software version 1.4.0.45. This version does not include the fix for Cisco bug ID CSCum71308.NCS1-2-1-12/admin# show version
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.1.038
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2010 by Cisco Systems, Inc.
All rights reserved.
Hostname: NCS1-2-1-12
Version information of installed applications
---------------------------------------------
Cisco Prime Network Control System
------------------------------------------
Version : 1.4.0.45Example of Unaffected Version
The following show version output is from an unaffected device running Cisco Prime Infrastructure software version 1.4.0.45-2. This version includes the fix for Cisco bug ID CSCum71308.NCS1-2-1-12/admin# show version
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.1.038
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2010 by Cisco Systems, Inc.
All rights reserved.
Hostname: NCS1-2-1-12
Version information of installed applications
---------------------------------------------
Cisco Prime Network Control System
------------------------------------------
Version : 1.4.0.45-2Patch for Existing Software
For existing installations, a software patch is available that fixes this vulnerability in all affected versions of Cisco Prime Infrastructure. Customers who elect to use the software patch, should apply the patch regardless of other Cisco Prime Infrastructure patches that are applied.
Customers can download the software patch from the "Download Software" page on Cisco.com by selecting:
Downloads Home > Products > Cloud and Systems Management > Routing and Switching Management > Network Management Solutions > Cisco Prime Infrastructure
The filename for this patch is PI-CSCum71308-0.tar.gz. The patch can be installed by issuing the application install PI-CSCum71308-0.tar.gz <Repository Name> command from the CLI.
For details on this command, see Command Reference Guide for Cisco Prime Infrastructure.
Note: Customers that use Cisco Prime Infrastructure software version 1.2 can apply the patch or upgrade to a fixed release of 1.3 or higher.
Example of Patched Version
The following show version output is from a patched device running Cisco Prime Infrastructure software version 1.4.0.45. The fix for Cisco bug ID CSCum71308 has been applied as indicated by the presence of the "SecurityFix_CSCum71308" section in the output.pi146/admin# show version
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.1.038
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2010 by Cisco Systems, Inc.
All rights reserved.
Hostname: pi146
Version information of installed applications
---------------------------------------------
Cisco Prime Network Control System
------------------------------------------
Version : 1.4.0.45
SecurityFix_CSCum71308 VERSION INFORMATION
-----------------------------------
Version : 1.0.0 Vendor: Cisco Systems, Inc.
Build Date : January 23 2014 01:24PST
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Cisco discovered the vulnerability during internal testing.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1 2014-March-13 Updated Fixed Software section to include a link to upgrade information. Revision 1.0 2014-February-26 Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.