CVE-2011-0364
published 2011-02-19CVE-2011-0364: The Management Console (webagent.exe) in Cisco Security Agent 5.1, 5.2, and 6.0 before 6.0.2.145 allows remote attackers to create arbitrary files and execute…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
19.62%
97.0th percentile
The Management Console (webagent.exe) in Cisco Security Agent 5.1, 5.2, and 6.0 before 6.0.2.145 allows remote attackers to create arbitrary files and execute arbitrary code via unspecified parameters in a crafted st_upload request.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | security_agent | — | — |
| cisco | security_agent | — | — |
| cisco | security_agent | — | — |
| cisco | security_agent | — | — |
Detection & IOCsextracted from sources · hover to see the quote
othermultipart/form-data; boundary=<boundary>; fields: host_uid, jobname, host, diags, diagsu, profiler, extension↗
- →Detect POST requests to the /csamc60/agent endpoint containing multipart/form-data with a 'st_upload' action; the exploit sends path-traversal sequences (e.g., '../' or '/../') in the 'jobname', 'host', and 'extension' form fields. ↗
- →Alert on path-traversal patterns in multipart form fields ('jobname', 'host', 'extension') targeting the CSA Management Console, specifically sequences like '../bin/webserver/htdocs' or '/../.htaccess'. ↗
- →Monitor for creation of .htaccess files containing 'Options +Includes +ExecCGI' and 'AddHandler cgi-script' directives under the CSA web server document root, which enables server-side script execution. ↗
- →Detect GET requests to non-standard script extensions (e.g., .gee) under /csamc60/ following a POST to /csamc60/agent, which indicates a dropped payload being triggered. ↗
- →The vulnerability is exploitable by unauthenticated attackers; monitor for POST requests to /csamc60/agent from external/untrusted IP addresses with no prior authenticated session. ↗
- ·Affected versions are Cisco Security Agent 5.1, 5.2, and 6.0 prior to 6.0.2.145. The exploit PoC hardcodes paths for version 6.0 (csamc60); path structures may differ for 5.x deployments. ↗
- ·The exploit uses HTTPS (HTTPSConnection) to communicate with the Management Console; detection must be applied to TLS-decrypted traffic or at the host level to be effective. ↗
- ·A workaround is available from Cisco in addition to the patch; consult the advisory for workaround details before relying solely on network-based detection. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Management Center for Cisco Security Agent Remote Code Execution Vulnerability
vendor_cisco·2011-02-16·CVSS 10.0
CVE-2011-0364 [CRITICAL] CWE-94 Management Center for Cisco Security Agent Remote Code Execution Vulnerability
Management Center for Cisco Security Agent Remote Code Execution Vulnerability
The Management Center for Cisco Security Agent is affected by a
vulnerability that may allow an unauthenticated attacker to perform remote code
execution on the affected device.
Cisco has released software updates that address this vulnerability.
A workaround is available to mitigate this
vulnerability.
This advisory is posted at
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110216-csa.
Cisco
Management Center for Cisco Security Agent Remote Code Execution Vulnerability
vendor_cisco
CVE-2011-0364 Management Center for Cisco Security Agent Remote Code Execution Vulnerability
CVE-2011-0364: Management Center for Cisco Security Agent Remote Code Execution Vulnerability
The Management Center for Cisco Security Agent is affected by a vulnerability that may allow an unauthenticated attacker to perform remote code execution on the affected device. Cisco has released software updates that address this vulnerability. A workaround is available to mitigate this vulnerability. This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110216-csa .
CWE: CWE-94, CWE-94
Bug IDs: CSCtj51216
GHSA
GHSA-rj3f-292m-phwf: The Management Console (webagent
ghsa_unreviewed·2022-05-14
CVE-2011-0364 [HIGH] CWE-94 GHSA-rj3f-292m-phwf: The Management Console (webagent
The Management Console (webagent.exe) in Cisco Security Agent 5.1, 5.2, and 6.0 before 6.0.2.145 allows remote attackers to create arbitrary files and execute arbitrary code via unspecified parameters in a crafted st_upload request.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/43383http://secunia.com/advisories/43393http://securityreason.com/securityalert/8095http://securityreason.com/securityalert/8197http://securityreason.com/securityalert/8205http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6cee6.shtmlhttp://www.securityfocus.com/archive/1/516505/100/0/threadedhttp://www.securityfocus.com/bid/46420http://www.securitytracker.com/id?1025088http://www.vupen.com/english/advisories/2011/0424http://www.zerodayinitiative.com/advisories/ZDI-11-088https://exchange.xforce.ibmcloud.com/vulnerabilities/65436http://secunia.com/advisories/43383http://secunia.com/advisories/43393http://securityreason.com/securityalert/8095http://securityreason.com/securityalert/8197http://securityreason.com/securityalert/8205http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6cee6.shtmlhttp://www.securityfocus.com/archive/1/516505/100/0/threadedhttp://www.securityfocus.com/bid/46420http://www.securitytracker.com/id?1025088http://www.vupen.com/english/advisories/2011/0424http://www.zerodayinitiative.com/advisories/ZDI-11-088https://exchange.xforce.ibmcloud.com/vulnerabilities/65436
2011-02-19
Published