Cisco Prime Home Authentication Bypass Vulnerability
2016-11-02T16:00:00
ID CISCO-SA-20161102-CPH Type cisco Reporter Cisco Modified 2016-11-02T15:34:02
Description
A vulnerability in the web-based graphical user interface (GUI) of Cisco Prime
Home could allow an unauthenticated, remote attacker to bypass
authentication. The attacker could be granted full administrator privileges.
The
vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending
a crafted HTTP request to a particular URL. An exploit could allow
the attacker to obtain a valid session identifier for an arbitrary user, which
would allow the attacker to perform any actions in Cisco Prime Home for
which that user is authorized—including users with administrator privileges.
A vulnerability in the web-based graphical user interface (GUI) of Cisco Prime
Home could allow an unauthenticated, remote attacker to bypass
authentication. The attacker could be granted full administrator privileges.
The
vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending
a crafted HTTP request to a particular URL. An exploit could allow
the attacker to obtain a valid session identifier for an arbitrary user, which
would allow the attacker to perform any actions in Cisco Prime Home for
which that user is authorized—including users with administrator privileges.
Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
{"id": "CISCO-SA-20161102-CPH", "hash": "23ec2e8a25dcb38f83f8a7055d805b06", "type": "cisco", "bulletinFamily": "software", "title": "Cisco Prime Home Authentication Bypass Vulnerability", "description": "A vulnerability in the web-based graphical user interface (GUI) of Cisco Prime\nHome could allow an unauthenticated, remote attacker to bypass\nauthentication. The attacker could be granted full administrator privileges.\n\nThe\nvulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending\na crafted HTTP request to a particular URL. An exploit could allow\nthe attacker to obtain a valid session identifier for an arbitrary user, which\nwould allow the attacker to perform any actions in Cisco Prime Home for\nwhich that user is authorized—including users with administrator privileges.\n\nA vulnerability in the web-based graphical user interface (GUI) of Cisco Prime\nHome could allow an unauthenticated, remote attacker to bypass\nauthentication. The attacker could be granted full administrator privileges.\n\nThe\nvulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending\na crafted HTTP request to a particular URL. An exploit could allow\nthe attacker to obtain a valid session identifier for an arbitrary user, which\nwould allow the attacker to perform any actions in Cisco Prime Home for\nwhich that user is authorized\u2014including users with administrator privileges.\n\nCisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.\n\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph\"]", "published": "2016-11-02T16:00:00", "modified": "2016-11-02T15:34:02", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph", "reporter": "Cisco", "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph"], "cvelist": ["CVE-2016-6452"], "lastseen": "2018-06-28T08:34:49", "history": [{"bulletin": {"id": "CISCO-SA-20161102-CPH", "type": "cisco", "bulletinFamily": "software", "title": "Cisco Prime Home Authentication Bypass Vulnerability", "description": "A vulnerability in the web-based graphical user interface (GUI) of Cisco Prime\nHome could allow an unauthenticated, remote attacker to bypass\nauthentication. The attacker could be granted full administrator privileges.\n\nThe\nvulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending\na crafted HTTP request to a particular URL. An exploit could allow\nthe attacker to obtain a valid session identifier for an arbitrary user, which\nwould allow the attacker to perform any actions in Cisco Prime Home for\nwhich that user is authorized—including users with administrator privileges.\n\nA vulnerability in the web-based graphical user interface (GUI) of Cisco Prime\nHome could allow an unauthenticated, remote attacker to bypass\nauthentication. The attacker could be granted full administrator privileges.\n\nThe\nvulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending\na crafted HTTP request to a particular URL. An exploit could allow\nthe attacker to obtain a valid session identifier for an arbitrary user, which\nwould allow the attacker to perform any actions in Cisco Prime Home for\nwhich that user is authorized?including users with administrator privileges.\n\nCisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.\n\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph\"]", "published": "2016-11-02T16:00:00", "modified": "2016-11-02T15:34:02", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph", "reporter": "Cisco", "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph"], "cvelist": ["CVE-2016-6452"], "lastseen": "2017-09-26T15:33:28", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "affectedSoftware": [{"name": "Cisco Prime Home", "version": "any", "operator": "eq"}]}, "lastseen": "2017-09-26T15:33:28", "differentElements": ["description"], "edition": 1}], "viewCount": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "affectedSoftware": [{"name": "Cisco Prime Home", "version": "any", "operator": "eq"}], "_object_type": "robots.models.cisco.CiscoBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.cisco.CiscoBulletin"]}
{"cve": [{"lastseen": "2016-12-01T02:49:41", "references": ["http://www.securityfocus.com/bid/94070", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph"], "edition": 1, "description": "A vulnerability in the web-based graphical user interface (GUI) of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges. Cisco Prime Home versions 5.1.1.6 and earlier and 5.2.2.2 and earlier have been confirmed to be vulnerable. Cisco Prime Home versions 6.0 and later are not vulnerable. More Information: CSCvb71732. Known Affected Releases: 5.0 5.0(1) 5.0(1.1) 5.0(1.2) 5.0(2) 5.15.1(0) 5.1(1) 5.1(1.3) 5.1(1.4) 5.1(1.5) 5.1(1.6) 5.1(2) 5.1(2.1) 5.1(2.3) 5.25.2(0.1) 5.2(1.0) 5.2(1.2) 5.2(2.0) 5.2(2.1) 5.2(2.2).", "reporter": "NVD", "published": "2016-11-03T17:59:07", "type": "cve", "title": "CVE-2016-6452", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2016-6452"], "scanner": [], "cpe": ["cpe:/a:cisco:prime_home:5.0_base", "cpe:/a:cisco:prime_home:5.1_base", "cpe:/a:cisco:prime_home:5.2.0"], "modified": "2016-11-28T15:33:03", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6452", "id": "CVE-2016-6452", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-10-26T14:36:18", "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph"], "pluginID": "1361412562310140149", "description": "A vulnerability in the web-based graphical user interface (GUI) of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges.", "edition": 5, "reporter": "This script is Copyright (C) 2017 Greenbone Networks GmbH", "published": "2017-02-02T00:00:00", "title": "Cisco Prime Home Authentication Bypass Vulnerability", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "CISCO", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6452"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310140149", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140149", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_prime_home_cisco-sa-20161102-cph.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Prime Home Authentication Bypass Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:prime_home\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140149\");\n script_cve_id(\"CVE-2016-6452\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Prime Home Authentication Bypass Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph\");\n\n script_tag(name:\"impact\", value:\"The vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request to a particular URL. An exploit could allow the attacker to obtain a valid session identifier for an arbitrary user, which would allow the attacker to perform any actions in Cisco Prime Home for which that user is authorized-including users with administrator privileges.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"solution\", value:\"Update to 5.1.1.7/5.2.2.3\");\n script_tag(name:\"summary\", value:\"A vulnerability in the web-based graphical user interface (GUI) of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges.\");\n script_tag(name:\"affected\", value:\"Cisco Prime Home versions 5.1.1.6 and earlier and 5.2.2.2 and earlier have been confirmed to be vulnerable.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-02-02 16:06:02 +0100 (Thu, 02 Feb 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_prime_home_web_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_is_less( version:vers, test_version:\"5.1.1.7\" ) ) fix = '5.1.1.7';\nif( version_in_range( version:vers, test_version:\"5.1.2\", test_version2:\"5.2.2.2\" ) ) fix = '5.2.2.3';\n\nif( fix )\n{\n report = report_fixed_ver( installed_version:vers, fixed_version:fix );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:08", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170201-prime-home", "http://www.cisco.com/c/en/us/products/cloud-systems-management/prime-home/index.html", "https://www.broadband-forum.org/technical/download/TR-069.pdf", "https://www.defcon.org/images/defcon-22/dc-22-presentations/Tal/DEFCON-22-Shahar-TaI-I-hunt-TR-069-admins-UPDATED.pdf", "https://threatpost.com/cisco-patches-critical-bugs-in-900-series-routers-prime-home-server/121765/"], "description": "Cisco has patched a critical vulnerability in its Cisco Prime Home remote management software used by service providers to oversee and provision subscribers\u2019 home devices.\n\nThe flaw, found by Cisco engineers, is in the product\u2019s web-based GUI and allows remote attackers to bypass authentication and access subscriber home networks as an administrator.\n\n\u201cThe vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication,\u201d Cisco said in its [advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170201-prime-home>). \u201cAn exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges.\u201d\n\nCisco said that versions 6.3, 6.4 and 6.5 are vulnerable and administrators should upgrade to version 6.5.0.1. The vendor added that it is not aware of any public attacks exploiting this vulnerability.\n\nAccording to a Cisco [product page](<http://www.cisco.com/c/en/us/products/cloud-systems-management/prime-home/index.html>), Cisco Prime home includes a number of customer support tools and views into all connected devices in a service provider\u2019s subscriber\u2019s home at scale. This is an attractive vantage point for an attacker looking to manipulate devices on a home network; admin privileges would give an attacker access to devices and allow them to alter configurations, redirect traffic and more.\n\nThe tool communicates over the TR-069 suite of protocols; TR-069 is a [Broadband Forum spec](<https://www.broadband-forum.org/technical/download/TR-069.pdf>) that defines how customer premise equipment communicates with an auto-configuration server such as Cisco Prime Home. A 2014 DEFCON talk by Check Point Software Technologies researcher Shahar Tal described how TR-069 could be abused to [attack residential routers and Internet gateways](<https://www.defcon.org/images/defcon-22/dc-22-presentations/Tal/DEFCON-22-Shahar-TaI-I-hunt-TR-069-admins-UPDATED.pdf>).\n\nThis is the second time since November that Cisco has had to roll out patches for Prime Home, when [a similar authentication bypass flaw](<https://threatpost.com/cisco-patches-critical-bugs-in-900-series-routers-prime-home-server/121765/>), CVE-2016-6452, was patched; the bug was found in the same web GUI and granted admin privileges to an attacker as well.\n", "reporter": "Michael Mimoso", "published": "2017-02-03T10:23:05", "type": "threatpost", "title": "Cisco Patches Authentication Bypass in Cisco Prime Home", "enchantments": {"score": {"modified": "2018-10-06T22:54:08", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2016-6452"], "_object_type": "robots.models.threatpost.ThreatpostBulletin", "modified": "2017-02-03T15:23:05", "id": "THREATPOST:DBD315EFDCE81B10FB27BB5B4FDBDE0A", "href": "https://threatpost.com/cisco-patches-authentication-bypass-in-cisco-prime-home/123551/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:30", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tl1", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cms", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cms1", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tp", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa3"], "description": "Cisco Systems has issued two critical advisories addressing flaws in a variety of enterprise-class products ranging from its 900 Series Routers to its Cisco Prime Home server and cloud-based network management platform.\n\nService providers running Cisco ASR 900 Series routers are being warned that a vulnerability in the Transaction Language 1 (TL1) code of the router could allow an unauthenticated, remote attacker to cause a reload of, or remotely execute code on, the affected system, according to the advisory.\n\nCisco said software updates are available to patch the flaw ([CVE-2016-6441](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tl1>)) and that workarounds are also available that address the security vulnerability.\n\nAn additional critical authentication bypass vulnerability was identified in the web-based graphical user interface of its Cisco Prime Home. \u201c(The) vulnerability could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges,\u201d Cisco warned.\n\nThe flaw ([CVE-2016-6452](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph>)) is tied to a URL processing error in the system that could allow an attacker to send a crafted HTTP request to a specific URL. That creates conditions for an attacker to \u201cobtain a valid session identifier for an arbitrary user, which would allow the attacker to perform any actions in Cisco Prime Home for which that user is authorized\u2014including users with administrator privileges,\u201d Cisco wrote.\n\nA software patch is available to address this vulnerability, but no workaround is available.\n\nIn addition to the aforementioned, Cisco warned of two additional vulnerabilities rated as high. Both vulnerabilities are tied to its Cisco Meeting Server product lines. One of the flaws ([CVE-2016-6447](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cms>)) is a buffer underflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Those systems include:\n\n * Cisco Meeting Server releases prior to 2.0.1\n * Acano Server releases prior to 1.8.16 and prior to 1.9.3\n * Cisco Meeting App releases prior to 1.9.8\n * Acano Meeting Apps releases prior to 1.8.35\n\nCisco is also warning of a buffer overflow vulnerability, rated high, in the 2.0.3 version of its Cisco Meeting Server and versions of its Acano Server releases. \u201cA vulnerability in the Session Description Protocol (SDP) parser of Cisco Meeting Server could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system,\u201d Cisco said.\n\nCisco said it has released a software update for the vulnerability ([CVE-2016-6448](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cms1>)) and that there are no workaround fixes to resolve the flaw.\n\nFive additional flaws rated medium were reported by Cisco ranging from a local command injection vulnerability ([CVE-2016-6459](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tp>)) in its Cisco TelePresence hardware to DoS vulnerability ([CVE-2016-6360](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa3>)) in its Cisco Email and Web Security appliance.\n", "reporter": "Tom Spring", "published": "2016-11-03T11:06:28", "type": "threatpost", "title": "Cisco Patches Critical Bugs in 900 Series Routers, Prime Home Server", "enchantments": {"score": {"modified": "2018-10-06T22:54:30", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2016-6360", "CVE-2016-6441", "CVE-2016-6447", "CVE-2016-6448", "CVE-2016-6452", "CVE-2016-6459"], "_object_type": "robots.models.threatpost.ThreatpostBulletin", "modified": "2016-11-03T15:06:28", "id": "THREATPOST:534997964F340102A28FF71A0B9C4C8A", "href": "https://threatpost.com/cisco-patches-critical-bugs-in-900-series-routers-prime-home-server/121765/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
