Good heavens, is it time to patch Cisco kit again? Prime Infrastructure root privileges hole plugged

Do the thing ASAP, you know how it works by now

9 Reg comments Got Tips?

Among a bumper crop of 57 security issues Cisco divulged on Wednesday was a fix for a trio of vulns, one critical, in networks management tool Prime Infrastructure.

The latter potentially allows unauthenticated miscreants to execute arbitrary code with root privileges on PI devices.

CVE-2019-1821 "can be exploited by an unauthenticated attacker that has network access to the affected [web] administrative interface," Cisco said in an advisory.

Two other related vulns, consecutively numbered CVE-2019-1822 and 1823, require credentials for the admin interface. They affect Cisco Prime Infrastructure Software releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1, the company said.

The vulns were reported to the firm by Steven Seeley of Source Incite.

"These vulnerabilities exist because the software improperly validates user-supplied input," Switchzilla continued. "An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system."

So far Cisco's PSIRT has said it is not aware of any proof-of-concepts or active exploits in the wild, but that's no excuse not to get patching ASAP.

Full details, including how to determine what version of PI is running on your boxen and links to the patches themselves, are available on Cisco's website.

The updates come just two days after the firm copped to a secure boot flaw in its routers that has been dubbed 😾😾😾 (pronounced Thrangrycat) by those who discovered it.

It has also been just a few months since a pile of patches addressed roughly similar problems, including a slack handful of remotely rootable vulns in Hyperflex. Over the years El Reg has written time and again about severe and critical problems with PI, including a SQL injection nasty and a method of obtaining root privs through a malformed HTTP POST request, among many others. ®


Biting the hand that feeds IT © 1998–2020