Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormRedteam-pentesting.dePACKETSTORM:152963
HistoryMay 17, 2019 - 12:00 a.m.

Cisco Expressway Gateway 11.5.1 Directory Traversal

2019-05-1700:00:00
redteam-pentesting.de
packetstormsecurity.com
203

0.004 Low

EPSS

Percentile

74.9%

JSON
`Advisory: Directory Traversal in Cisco Expressway Gateway  
  
RedTeam Pentesting discovered a directory traversal vulnerability in  
Cisco Expressway which enables access to administrative web interfaces.  
  
  
Details  
=======  
  
Product: Cisco Expressway Gateway  
Affected Versions: 11.5.1, possibly others  
Fixed Versions: See Cisco Bug ID CSCvo47769 [1]  
Vulnerability Type: Directory Traversal  
Security Risk: medium  
Vendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-expressway-traversal  
Vendor Status: fixed version released  
Vendor ID: Cisco Bug ID CSCvo47769  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-002  
Advisory Status: published  
CVE: CVE-2019-1854  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1854  
  
  
Introduction  
============  
  
"Cisco Expressway offers users outside your firewall simple, highly  
secure access to all collaboration workloads, including video, voice,  
content, IM, and presence. Collaborate with people who are on  
third-party systems and endpoints or in other companies. Help  
teleworkers and Cisco Jabber mobile users work more effectively on their  
device of choice."  
(from the Cisco Expressway Series website [2])   
  
  
More Details  
============  
  
Cisco Expressway Gateway is a kind of reverse proxy which implements  
authentication mechanisms and forwards authorised requests to services  
based on information encoded within the requested URL. It supports two  
different URI layouts. The first layout only includes the base64-encoded  
domain name of the gateway itself:  
  
------------------------------------------------------------------------  
https://example.com:8443/$(echo -n example.com|base64)/test123  
  
https://example.com:8443/ZXhhbXBsZS5jb20=/test123  
------------------------------------------------------------------------  
  
The second layout additionally specifies the protocol, hostname and port  
number of a target system which is to be contacted through the gateway:  
  
------------------------------------------------------------------------  
https://example.com:8443/$(echo -n example.com/https/example.int/8443|base64)/test123  
  
https://example.com:8443/ZXhhbXBsZS5jb20vaHR0cHMvZXhhbXBsZS5pbnQvODQ0Mw==/test123  
------------------------------------------------------------------------  
  
RedTeam Pentesting analysed a Cisco Unified Communication Manager (CUCM)  
instance which was accessible via a Cisco Expressway Gateway. In this  
configuration, a directory traversal vulnerability was identified. It  
leverages the methodology described in "Breaking Parser Logic" [3] by  
Orange Tsai. The CUCM service, which is implemented using the Tomcat [4]  
application server, interprets URLs different to the upstream  
reverse proxy. By accessing a specially crafted URL, attackers can  
access the CUCM manager application, even though it is not exposed by  
the Cisco Expressway Gateway.  
  
  
Proof of Concept  
================  
  
First, an attacker must authenticate to the Cisco Expressway Gateway.  
A login can be performed by accessing the following URL using  
HTTP-Basic-Authentication:  
  
------------------------------------------------------------------------  
https://example.com:8443/ZXhhbXBsZS5jb20=/get_edge_config  
------------------------------------------------------------------------  
  
Afterwards, the resources on the CUCM may be accessed through the Cisco  
Expressway Gateway. By inserting repeated occurrences of "/..;/" into  
the URL, the directory traversal vulnerability can be exploited. Using  
the following URL, a list of applications installed on the CUCM system  
can be retrieved:  
  
------------------------------------------------------------------------  
https://example.com:8443/ZXhhbXBsZS5jb20vaHR0cHMvZXhhbXBsZS5pbnQvODQ0Mw==/cucm-uds/user/example_user/..;/..;/..;/  
------------------------------------------------------------------------  
  
Similarly, the CUCM manager application can be accessed as follows:  
  
------------------------------------------------------------------------  
https://example.com:8443/ZXhhbXBsZS5jb20vaHR0cHMvZXhhbXBsZS5pbnQvODQ0Mw==/cucm-uds/user/example_user/..;/..;/..;/ccmadmin  
------------------------------------------------------------------------  
  
  
Workaround  
==========  
  
Prevent access to the Cisco Expressway Gateway by untrusted parties.  
  
  
Fix  
===  
  
See Cisco Bug ID CSCvo47769 [1] for affected software releases and  
available patches.  
  
  
Security Risk  
=============  
  
The vulnerability can be used to access administrative interfaces which  
are usually not reachable. Attackers could potentially read or modify  
sensitive information via these interfaces. However, it is necessary to  
have an authorised user account to access the Cisco Expressway Gateway.  
Therefore, the vulnerability poses a medium risk.  
  
  
Timeline  
========  
  
2019-02-01 Vulnerability identified  
2019-02-20 Customer approved disclosure to vendor  
2019-02-21 Vendor notified  
2019-02-21 Receipt of advisory acknowledged by vendor  
2019-04-16 Vendor announces public disclosure for May 1st to RedTeam Pentesting  
2019-05-01 Vendor publishes advisory  
2019-05-16 Customer approves release of this advisory  
2019-05-17 Advisory released  
  
  
References  
==========  
[1] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo47769  
[2] https://www.cisco.com/c/en/us/products/unified-communications/expressway-series/index.html  
[3] https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Orange%20Tsai%20-%20Updated/DEFCON-26-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-and-Pop-0days-Out-Updated.pdf  
[4] https://tomcat.apache.org  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
  
Working at RedTeam Pentesting  
=============================  
  
RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://www.redteam-pentesting.de/jobs/  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
GeschΓ€ftsfΓΌhrer: Patrick Hof, Jens Liebchen  
`

Related

zdt 1
cvelist 1
nvd 1
cisco 1
prion 1
cve 1
zdt
zdt
Cisco Expressway Gateway 11.5.1 Directory Traversal Vulnerability
2019-05-21 00:00:00
cvelist
cvelist
CVE-2019-1854 Cisco Expressway Series Directory Traversal Vulnerability
2019-05-01 00:00:00
nvd
nvd
CVE-2019-1854
2019-05-03 17:29:01
cisco
cisco
Cisco Expressway Series Directory Traversal Vulnerability
2019-05-01 16:00:00
prion
prion
Directory traversal
2019-05-03 17:29:00
cve
cve
CVE-2019-1854
2019-05-03 17:29:01

0.004 Low

EPSS

Percentile

74.9%

JSON
Related for PACKETSTORM:152963
zdt1cvelist1nvd1cisco1prion1cve1