CVE-2018-15379 – HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions allowing an unauthenticated, remote attacker to upload an arbitrary file. This file can later be executed by the attacker at the privilege level of the user. The vulnerability is due to incorrect permission setting for system directories. An attacker could exploit this vulnerability by uploading a malicious file using TFTP ( Trivial File Transfer Protocol), which can later be accessed via the web-interface. Successful exploitation could result in the execution of arbitrary code in the context of the prime user.

Most web applications running on the Cisco Prime Infrastructure (CPI)  virtual appliance are deployed under ‘/opt/CSCOlumos/apache-tomcat-<Version>/webapps’. Since the autoDeploy parameter in the Tomcat server.xml for CPI is set to true for the default virtual host, any directory within the “webapps” directory will be deployed as a web application. One of these applications is “swimtemp”, which symlinks to /localdisk/tftp which is where files uploaded by TFTP are located.

rwxrwxrwx. 1 root admin  swimtemp -> /localdisk/tftp/

The TFTP server in Cisco Prime Infrastructure will by default allow uploads and due to the fact that TFTP has no login or access control mechanisms, any user with network connectivity to the TFTP port may upload arbitrary files. Files uploaded via TFTP are placed in the  directory ‘/localdisk/tftp’.

As a result, an attacker can upload a malicious file using a tftp client to the ‘/localdisk/tftp/’ directory. The malicious file will be available at https://<IP>/swimtemp/<web shell>. Attacker can then visit this URI to execute the code in the context of the “prime” user, which is an unprivileged user that runs the Apache Tomcat server.

Cisco Prime Infrastructure 3.2 and later