cbcvebase.
CVE-2018-15379
published 2018-10-05

CVE-2018-15379: A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote…

PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
86.22%
99.7th percentile
A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication.

Affected

11 ranges
VendorProductVersion rangeFixed in
ciscocisco_prime_infrastructure
ciscoprime_infrastructure
ciscoprime_infrastructure
ciscoprime_infrastructure
ciscoprime_infrastructure
ciscoprime_infrastructure
ciscoprime_infrastructure
ciscoprime_infrastructure
ciscoprime_infrastructure
ciscoprime_infrastructure
ciscoprime_infrastructure

Detection & IOCsextracted from sources · hover to see the quote

path/localdisk/tftp/
path/opt/CSCOlumos/bin/runrshell
url/swimtemp
processrunrshell
  • Detect unauthenticated TFTP PUT requests to the /localdisk/tftp/ directory, especially uploading .jsp files, as this is the initial exploitation step for CVE-2018-15379.
  • Monitor for HTTP GET requests to /swimtemp with a zero-length 404 response body on Cisco Prime Infrastructure, which is the fingerprint used by the Metasploit module to detect a vulnerable target.
  • Alert on HTTP GET requests to /swimtemp/<random>.jsp following a TFTP upload session from the same source IP, indicating web shell execution after file upload.
  • Monitor execution of /opt/CSCOlumos/bin/runrshell with unexpected or injected command arguments, as this SUID binary is abused for privilege escalation to root.
  • Look for JSP web shell files appearing in the /localdisk/tftp/ directory on Cisco Prime Infrastructure hosts, as legitimate use would not place JSP files there.
  • ·The fix in version 3.4.1 only addresses the TFTP file upload vulnerability; the privilege escalation via runrshell remains exploitable if an attacker gains access through another vector.
  • ·A Cisco-recommended workaround is to disable the TFTP server; environments that have applied only this workaround (without patching) should still monitor for alternative initial access paths that could lead to runrshell abuse.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_cisco7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.