2 critical vulnerabilities discovered in Cisco Prime servers

Cisco Prime web interface is affected by a couple of security flaws whose successful exploitation would allow threat actors to deploy remote code execution (RCE) attacks. This is a network management solution that enables monitoring, optimization, and troubleshooting tasks on wireless and wired devices.

The researcher Andreas Finstad, in charge of the report mentions that when chained, these failures could completely compromise the Prime server and provide the attacker with a reverse shell. Apparently, the flaws exist due to a cross-site scripting (XSS) vector that is exploited through SNMP, a protocol used to discover devices on a network.

According to the report, Cisco Prime sends SNMP requests for the collection of information about network devices on the same network, including the address of an image file. Finstad placed a Linux-based device on the network and set the image address on a malicious JavaScript fragment hosted on a server controlled by the researcher, acting as an attacker. When the affected user’s server navigates to Prime’s device discovery page, the malicious script loads and runs in the browser, resulting in an XSS attack.

By abusing this feature, the researcher was able to exploit other vulnerabilities in a chained manner, starting by exploiting a flaw in the session identification cookie stored in LocalStorage, allowing access to the active session of the affected administrator.

Using the stolen administrator token, the researcher also tried to send commands to Prime’s management interface. Like most web applications, Prime’s management interface avoids such commands, although the abuse of a function for token generation eventually made it possible to evade cross-site request forgery (CSRF) protections.

This report notes how often similar vulnerabilities can be found in web application protection: “From a security perspective, the browser is not under the control of the client, so it is better to check the security on the user side,” says the expert.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.