The flaws affect the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager.
While two of the flaws required an attacker to have credentials for an attack, the third one could be exploited by an unauthenticated attacker who has the network access.
Cisco has released security updates to patch critical security vulnerabilities discovered in it’s Prime Infrastructure (PI) platform. The flaws were the result of an improper input validation that existed in the web-based management interface of PI, as well as in the Cisco Evolved Programmable Network(EPN) Manager. This could allow remote attackers to execute arbitrary code with elevated privileges.
What are the vulnerabilities?
The three flaws identified were given a CVSS score of 9.8. Among the three, CVE-2019-1821 could be exploited by unauthenticated attackers with network access to the vulnerable interface.
However, CVE-2019-1822 and CVE-2019-1823 required the attackers to have valid credentials for the interface in order to exploit them.
Cisco’s security advisory indicates that the vulnerabilities arose because of PI not handling user-input.
“These vulnerabilities exist because the software improperly validates user-supplied input. An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system,” read the advisory.
However, the firm has resolved vulnerabilities with software updates. Users are advised to install the updates immediately.
Apart from these updates, Cisco has also recently released over 40 advisories that address numerous security flaws found in some of the products. It includes Cisco NX-OS, Cisco FXOS, Cisco Webex, Cisco Firepower amongst others.