[c-nsp] Cisco Security Advisory: Cisco Prime Home Authentication Bypass Vulnerability

Cisco Systems Product Security Incident Response Team psirt at cisco.com
Wed Nov 2 12:34:41 EDT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco Prime Home Authentication Bypass Vulnerability

Advisory ID: cisco-sa-20161102-cph

Revision 1.0

For Public Release 2016 November 2 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

A vulnerability in the web-based graphical user interface (GUI) of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges.

The vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request to a particular URL. An exploit 
could allow the attacker to obtain a valid session identifier for an arbitrary user, which would allow the attacker to perform any actions in Cisco Prime Home for which that user is authorized - including users 
with administrator privileges.

Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBWBoUuq89gD3EAJB5AQKpghAAqO51AV155QF6Sj3wfDwQyy5DOCUbnzJT
OSkWF9NDsXB9GBEtAD9Vtm9peenvpbuqbT8k1WvDUo3+5NVyRht+u7kUjriEEfat
H5DfYqVAqgaSh45rHfl7zjINRa0dWdVFFA0HZOVkMrLjZ7y86DmCED3JDnXeucEF
nsbE/m+eMw++Qizgz0KRCedIwSBYwfAtibbr8E4Ch2t2SeDBXcHAXwboc1YgfjOS
hopqKwVnb947QcWKAPBtBKWO9L7LAFxSiTMypnR+wVDlmDkUFX6veH3bUDYCSJaX
W1/yxfGkMygyfozq5lDBl6KJH6v8uITAvBNr0G4Ffr/hIgoOhj8YcKQYDHvCdY0p
lfdmtE43zMgmVn50dPujpkbqwMoARpAKwBvKAXe3EnqR4mgEWg0QpX0Z7kF2Y9XG
J1XJyKYcDlS20tkxX7EJ7i85ik673lSI+OJEgoHOtkwyjaZQ/didLQRYzWtooEzS
PB07Ln+oUkiT2U0pwLpKeiDMBeCajMQOLbOiih7Y6NbgH9UuHvOr7WNZiGsaeasl
GUb9sANXyAp2gEm2dZ2hNdWMTmn3U4K/l2w1fBGtAU5MzpzHWsSwDrznxZzuMScy
E6yrGJHs4IF6jNoKPvzdjO7v3FV5QQ6JatbWh8FU+9TkC+rQFQ2ZQSpnA0eys6yt
ZddiKw1knKQ=
=Dqez
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list