One of the flaws addressed by Cisco in the Prime Infrastructure management tool could be exploited by an unauthenticated attacker to execute arbitrary code with root privileges on PI devices.
“Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow a remote attacker to gain the ability to execute arbitrary code with elevated privileges on the underlying operating system.” reads the advisory published by Cisco.
“One of these issues, CVE-2019-1821, can be exploited by an unauthenticated attacker that has network access to the affected administrative interface.”
The remaining two issues, tracked as CVE-2019-1822 and CVE-2019-1823, could be exploited by an attacker that has valid credentials to authenticate to the impacted administrative interface.
The flaws affect Cisco Prime Infrastructure Software releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1.
The vulnerabilities were discovered by Steven Seeley of Source Incite.
“These vulnerabilities exist because the software improperly validates user-supplied input,” continues the advisory. “An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.”
Cisco PSIRT experts are aware of any attacks exploiting the flaws in the wild.
A few days ago, Cisco fixed the Thrangrycat, a vulnerability tracked as CVE-2019-1649 that affects multiple Cisco products supporting the Trust Anchor module (TAm). The issue could be exploited by an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.