—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Cisco Security Advisory: Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability

Advisory ID: cisco-sa-20181003-pi-tftp

Revision: 1.0

For Public Release: 2018 October 3 16:00 GMT

Last Updated: 2018 October 3 16:00 GMT

CVE ID(s): CVE-2018-15379

CVSS Score v(3): 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

+———————————————————————

Summary

=======

A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges.

The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp”]

—–BEGIN PGP SIGNATURE—–

iQJ4BAEBAgBjBQJbtOqeXBxDaXNjbyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50
IFJlc3BvbnNlIFRlYW0gKENpc2NvIFBTSVJUIGtleSAyMDE4LTIwMTkpIDxwc2ly
dEBjaXNjby5jb20+AAoJEJa12PPJBfczncEP+M5lner1GQYzsV/jTeE4WiJE+pEF
q0j8uE9xLSIld52PU2UdzdrGanNUhwOBPR1f2SOJmmxuCXt4KG0MKLtM5Wk4Jvky
YV4mn8c4QmaJRlT9AP+OCP7RmlkoPnCaHPfQFlxORd9hxTCV5t+WaOrDb67974xZ
s5gdxPZ4lRgL6kxZI4Sp8eE26Q04iwwLwRKsnxav/E1OsTYF0FCfk8Zyv30dELUY
KMTqJd7C2dSIjR6rHVKXEIccjLaINoSdObollp3plvce9OGceXVcTv9AFNJYKNIi
mn2Cga7De98GgIgDnOm+S3z00mgIGnQf8XSCcCqzJKev4S/9b8gQJlbCq23QO1Td
szb4jZJ4wEzVRoY/gl9Y2Euiz/L9wTTDGIng16W+Tro09VSxk8FDa2quivhrAIKr
UhA1RMyg8GPfnnbyHyA+7DTJE/5jwmnwksd3P7Gr0As3IqLxO+JGUclcl6ADXFFI
yKM2S3WauiOOZ8DqWLlRMHYYAe2Wqe11n0QIVulKua55bcTq9/HqdpGwUQAJdgOc
ZszhgHlbk2kODaLwA/lLJGTa4dsvMzIHc6oHTH4dNLZmI7JEE+JydUDCpV7/pNlG
W4QVrgmC40x0QuSjyRyBCpzQ2S1uMJ83G/qDSgeDTqY+naKZZFftE4YvO/3×3+pK
t72tqHjlSJsTFFk=
=PxLJ
—–END PGP SIGNATURE—–

_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com