CVE-2018-15379
📋 TL;DR
CVE-2018-15379 allows unauthenticated remote attackers to upload arbitrary files via TFTP through Cisco Prime Infrastructure's web interface due to incorrect directory permissions. This enables command execution with 'prime' user privileges (non-administrative). All Cisco Prime Infrastructure deployments with vulnerable versions are affected.
💻 Affected Systems
- Cisco Prime Infrastructure
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through privilege escalation from prime user to root, leading to data theft, network pivoting, or ransomware deployment.
Likely Case
Unauthenticated remote code execution allowing attackers to install backdoors, steal credentials, or disrupt operations.
If Mitigated
Limited impact with proper network segmentation and monitoring, potentially allowing file upload but preventing command execution.
🎯 Exploit Status
Metasploit module available (exploit/linux/http/cisco_prime_tftp_rce). Simple exploitation with public tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.1 and later
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp
Restart Required: Yes
Instructions:
1. Backup configuration. 2. Download Prime Infrastructure 3.4.1 or later from Cisco Software Center. 3. Install update following Cisco's upgrade guide. 4. Verify installation and restart services.
🔧 Temporary Workarounds
Disable TFTP via Web Interface
allRemove TFTP file upload capability from web interface to block exploitation vector.
Navigate to Administration > Settings > TFTP Server Settings > Disable TFTP
Network Access Control
linuxRestrict access to Prime Infrastructure web interface using firewall rules.
iptables -A INPUT -p tcp --dport 80,443 -s trusted_networks -j ACCEPT
iptables -A INPUT -p tcp --dport 80,443 -j DROP
🧯 If You Can't Patch
- Isolate system on dedicated VLAN with strict firewall rules allowing only necessary management traffic
- Implement web application firewall (WAF) to block malicious upload patterns and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check Prime Infrastructure version via web interface (Help > About) or CLI command 'show version' and compare to vulnerable versions (< 3.4.1).Check Version:
show version | include VersionVerify Fix Applied:
Verify version is 3.4.1 or later and test TFTP upload functionality is properly restricted.📡 Detection & Monitoring
Log Indicators:
- TFTP file upload attempts in web server logs
- Unusual process execution by prime user in system logs
- File creation in normally restricted directories
Network Indicators:
- TFTP traffic to Prime Infrastructure on unusual ports
- HTTP POST requests with file upload patterns to vulnerable endpoints
SIEM Query:
source="prime_infrastructure_logs" AND (tftp OR upload) AND response_code=200🔗 References
- http://www.securityfocus.com/bid/105506
- http://www.securitytracker.com/id/1041816
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp
- https://www.exploit-db.com/exploits/45555/
- http://www.securityfocus.com/bid/105506
- http://www.securitytracker.com/id/1041816
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp
- https://www.exploit-db.com/exploits/45555/
