CVE-2018-15379
published 2018-10-05CVE-2018-15379: A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote…
PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
86.22%
99.7th percentile
A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_prime_infrastructure | — | — |
| cisco | prime_infrastructure | — | — |
| cisco | prime_infrastructure | — | — |
| cisco | prime_infrastructure | — | — |
| cisco | prime_infrastructure | — | — |
| cisco | prime_infrastructure | — | — |
| cisco | prime_infrastructure | — | — |
| cisco | prime_infrastructure | — | — |
| cisco | prime_infrastructure | — | — |
| cisco | prime_infrastructure | — | — |
| cisco | prime_infrastructure | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated TFTP PUT requests to the /localdisk/tftp/ directory, especially uploading .jsp files, as this is the initial exploitation step for CVE-2018-15379. ↗
- →Monitor for HTTP GET requests to /swimtemp with a zero-length 404 response body on Cisco Prime Infrastructure, which is the fingerprint used by the Metasploit module to detect a vulnerable target. ↗
- →Alert on HTTP GET requests to /swimtemp/<random>.jsp following a TFTP upload session from the same source IP, indicating web shell execution after file upload. ↗
- →Monitor execution of /opt/CSCOlumos/bin/runrshell with unexpected or injected command arguments, as this SUID binary is abused for privilege escalation to root. ↗
- →Look for JSP web shell files appearing in the /localdisk/tftp/ directory on Cisco Prime Infrastructure hosts, as legitimate use would not place JSP files there. ↗
- ·The fix in version 3.4.1 only addresses the TFTP file upload vulnerability; the privilege escalation via runrshell remains exploitable if an attacker gains access through another vector. ↗
- ·A Cisco-recommended workaround is to disable the TFTP server; environments that have applied only this workaround (without patching) should still monitor for alternative initial access paths that could lead to runrshell abuse. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_cisco7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability
vendor_cisco·2018-10-03·CVSS 7.3
CVE-2018-15379 [HIGH] CWE-275 Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability
Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability
A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges.
The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication.
Cisco has rele
Cisco
Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability
vendor_cisco·CVSS 3.0
CVE-2018-15379 Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability
CVE-2018-15379: Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability
A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime . This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication
GHSA
GHSA-h92j-m24w-8xp7: A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated
ghsa_unreviewed·2022-05-13
CVE-2018-15379 [CRITICAL] CWE-732 GHSA-h92j-m24w-8xp7: A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated
A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication.
No detection rules found.
Exploit-DB
Cisco Prime Infrastructure - (Unauthenticated) Remote Code Execution
exploitdb·2018-10-04
CVE-2018-15379 Cisco Prime Infrastructure - (Unauthenticated) Remote Code Execution
Cisco Prime Infrastructure - (Unauthenticated) Remote Code Execution
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Cisco Prime Infrastructure Unauthenticated Remote Code Execution',
'Description' => %q{
Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow
an unauthenticated attacker to achieve remote code execution. The first flaw is a file
upload vulnerability that allows the attacker to upload and execute files as the Apache
Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions
in a SUID binary.
This module exploits these vulnerabilities to achieve unauthenticated remote code execution
as root on
Metasploit
Cisco Prime Infrastructure Unauthenticated Remote Code Execution
metasploit
Cisco Prime Infrastructure Unauthenticated Remote Code Execution
Cisco Prime Infrastructure Unauthenticated Remote Code Execution
Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. This module exploits these vulnerabilities to achieve unauthenticated remote code execution as root on the CPI default installation. This module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing. The file upload vulnerability should have been fixed i
Trendmicro
Neko, Mirai and Bashlite Target Routers, Devices
blogs_trendmicro·2019-08-13
Neko, Mirai and Bashlite Target Routers, Devices
# Neko, Mirai and Bashlite Target Routers, Devices
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.
By: Augusto Remillano II, Jakub Urbanec
Aug 13, 2019
Read time: ( words)
Save to Folio
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlis
Trendmicro
Neko, Mirai and Bashlite Target Routers, Devices
blogs_trendmicro·2019-08-13
Neko, Mirai and Bashlite Target Routers, Devices
# Neko, Mirai and Bashlite Target Routers, Devices
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.
By: Augusto Remillano II, Jakub Urbanec
2019/08/13
Read time: ( words)
Save to Folio
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlist
Tenable
Public Exploit Modules Available for Cisco Prime Infrastructure Vulnerability
blogs_tenable·2018-10-12·CVSS 9.8
CVE-2018-15379 [CRITICAL] Public Exploit Modules Available for Cisco Prime Infrastructure Vulnerability
Blog / Cyber Exposure Alerts
Subscribe
# Public Exploit Modules Available for Cisco Prime Infrastructure Vulnerability
Ryan Seguin
October 12, 2018
2 Min Read
Users of Cisco Prime Infrastructure Software are urged to update to the latest version to address one of two vulnerabilities that, when chained, could lead to remote code execution with system-level permissions.
## Background
Cisco released an advisory for CVE-2018-15379, an arbitrary file upload and command execution vulnerability for its Cisco Prime Infrastructure (CPI) software. The CPI management software is designed to allow businesses to manage their network device configurations all in one place, rather than individually by device. CPI also offers integration with Cisco Identity Services Engine (ISE) and location-based
Tenable
Public Exploit Modules Available for Cisco Prime Infrastructure Vulnerability
blogs_tenable·2018-10-12
Public Exploit Modules Available for Cisco Prime Infrastructure Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://www.securityfocus.com/bid/105506http://www.securitytracker.com/id/1041816https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftphttps://www.exploit-db.com/exploits/45555/http://www.securityfocus.com/bid/105506http://www.securitytracker.com/id/1041816https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftphttps://www.exploit-db.com/exploits/45555/
2018-10-05
Published