Cisco Prime Network Analysis Module Directory Traversal Vulnerability

By

Cisco Prime Network Analysis Module (NAM) is a network management software that allows network administrators with multifaceted visibility to help optimize network resources, troubleshoot performance issues, and deliver a consistent enduser experience.

A directory traversal vulnerability has been reported in the Cisco Prime Network Analysis Module. Because an input validation bug when processing certain HTTP parameters, an attacker could send a certain crafted HTTP request to graph.php to gain access to any file/folder accessible to the web service, and even delete any file if the permission is allowed to the web service.

The file graph.php in Cisco Prime Network Analysis Module is used for displaying graphic elements such as charts on the webpage. This file has a module of reading local files inside /tmp. The name of the file in /tmp directory will be specified by the sfile parameter. However, the graph.php lacks necessary filtering on this parameter. When a request is set with “../”, it could access files outside the web folder, causing a directory traversal vulnerability. What makes things worse is, the HTTP request is used for deleting a file. That means an unauthenticated attacker could cause decent damage on the target server.

 // open file if(!file_exists($sfile) || !($f = fopen($sfile, "r"))) { error_log("Stat file not found: $sfile"); exit; }  // read file while(!feof($f) && strncmp(fgets($f, 2000), "| Interval ", 12)) // skip other stats {;} fgets($f, 2000); $j = 0; $bytes = array(); while(!feof($f)) { $s = fgets($f, 2000);   $s = substr($s , strrpos($s, "| "));   $s = substr($s, 1, -2);   $bytes[$j++] = (int)trim($s); } fclose($f);  // only checks if the path starts with /tmp/, if so, delete the file. // no filter on the parameter  if(strncmp($sfile, "/tmp/", 5)==0) unlink($sfile); 

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13122: Cisco Prime Network Analysis Module graph sfile Directory Traversal
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.