Cisco Patches Authentication Bypass in Cisco Prime Home

Cisco patched a critical remote authentication bypass vulnerability in its Prime Home remote management tool used by service providers.

Cisco has patched a critical vulnerability in its Cisco Prime Home remote management software used by service providers to oversee and provision subscribers’ home devices.

The flaw, found by Cisco engineers, is in the product’s web-based GUI and allows remote attackers to bypass authentication and access subscriber home networks as an administrator.

“The vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication,” Cisco said in its advisory. “An exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges.”

Cisco said that versions 6.3, 6.4 and 6.5 are vulnerable and administrators should upgrade to version 6.5.0.1. The vendor added that it is not aware of any public attacks exploiting this vulnerability.

According to a Cisco product page, Cisco Prime home includes a number of customer support tools and views into all connected devices in a service provider’s subscriber’s home at scale. This is an attractive vantage point for an attacker looking to manipulate devices on a home network; admin privileges would give an attacker access to devices and allow them to alter configurations, redirect traffic and more.

The tool communicates over the TR-069 suite of protocols; TR-069 is a Broadband Forum spec that defines how customer premise equipment communicates with an auto-configuration server such as Cisco Prime Home. A 2014 DEFCON talk by Check Point Software Technologies researcher Shahar Tal described how TR-069 could be abused to attack residential routers and Internet gateways.

This is the second time since November that Cisco has had to roll out patches for Prime Home, when a similar authentication bypass flaw, CVE-2016-6452, was patched; the bug was found in the same web GUI and granted admin privileges to an attacker as well.

Suggested articles