Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.2158
Cisco Prime Infrastructure contains SUID root binaries
19 August 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Prime Infrastructure
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Root Compromise -- Existing Account
Resolution: Patch/Upgrade
Original Bulletin:
http://www.kb.cert.org/vuls/id/300820
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#300820
Cisco Prime Infrastructure contains SUID root binaries
Original Release date: 17 Aug 2015 | Last revised: 17 Aug 2015
Overview
The Cisco Prime Infrastructure version 2.2 contains two binaries with SUID
root world-executable privileges, allowing any local user to execute arbitrary
commands as root.
Description
CWE-276: Incorrect Default Permissions
Two binaries are included in Cisco Prime version 2.2 that run as SUID root
with world-executable privileges. The commands are
/opt/CSCOlumos/bin/runShellCommand
/opt/CSCOlumos/bin/runShellAsRoot
These commands may be used to run arbitrary commands as root by any local
user.
According to Cisco, the default installation does not create any regular
users, and Cisco does not support or recommend creating regular users or
utilizing the command line shell for administration. Cisco has provided more
information in a security advisory (customer user account required to view).
Impact
A remote authenticated user may escalate privileges to root and execute
arbitrary commands.
Solution
Apply an update
Cisco has released an update to address this issue. For more information on
the update, please see Cisco's security advisory (customer user account
required to view). Affected users should update as soon as possible.
You may also consider the following workaround:
Restrict executable permissions
According to the reporter, affected users may remove the world-executable
permissions on runShellCommand and runShellAsRoot to disallow any local
account from utilizing these binaries.
Vendor Information (Learn More)
Vendor Status Date Notified Date Updated
Cisco Affected 16 Mar 2015 08 May 2015
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group Score Vector
Base 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Temporal 8.5 E:H/RL:W/RC:C
Environmental 6.4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND
References
https://tools.cisco.com/bugsearch/bug/CSCut39938
https://tools.cisco.com/quickview/bug/CSCut39938
Credit
Thanks to Jeremy Brown for reporting this issue.
This document was written by Garret Wassermann.
Other Information
CVE IDs: Unknown
Date Public: 31 Jul 2015
Date First Published: 17 Aug 2015
Date Last Updated: 17 Aug 2015
Document Revision: 56
Feedback
If you have feedback, comments, or additional information about this
vulnerability, please send us email.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVdP6ln6ZAP0PgtI9AQJHKRAAkMUzBwYHGDSpNKwCO6wYJLSDCZaT/1b0
re9yPLhesDWDcmYEJwgLKUN6FjmA/bgghG47emGdMmSAfIFvpmMl+Ck/TEW1wdbX
g+dtjjOewZaK69tly4Vl627deXEJUfd1qQFL5eWF/PVtdDLgdpyA8grphBYHVaeU
caYzCQrOFRrw1ALU+3DVOWhozAIc6Gy7JowA8QbimcAQAATALyuMYzOr5N0PSFDa
eA16nRDVuEeR8mPFFJ7Keg7xHToPnT5e6p8u+xaZ0Zl9/4eIzv36SDk+mJLdZ1ZX
UrSYyrJRcSOYeSV7KPiQagVUK0kXtzsG5Td+IZ7AP5swmtvXiwkldYLjZjmurLzO
SfjiiRL74BmyXY5hqyf7lesczMGI/KD7EtvXRoIdgNNeOTbnIrOun2jkmza+tMrS
hDkssWlbr1efj3k+CfEO8tc3t0KdwFAD1MhdbF1lR4a2iS0AYhNughvBtl34ckJU
5FS2rOfafvpdHLF/mRaqJkr/oj4l2DRt9hq56MjfEq+VKAzX8p10XhzgJgMbpRXI
c3GbapQdf7uRvQO1ChPiMgjFJJTLoEDAlsjGr4mVDL3BimW2gfmz2VNL7sUgzsW0
hRHYKcV51h00tdX5FzOB6MSwNLTKofik5b2MEtZjZSl7TXyZL0CWhJcOXHN55HMq
thV7uedXseU=
=VytL
-----END PGP SIGNATURE-----