Menu
Cisco patches critical flaw in Prime Home device management server

Cisco patches critical flaw in Prime Home device management server

The vulnerability could allow hackers to take over servers used by ISPs to manage subscribers and their gateway devices

Cisco Systems has fixed a critical vulnerability that could allow hackers to take over servers used by telecommunications providers to remotely manage customer equipment such as routers.

The vulnerability affects Cisco Prime Home, an automated configuration server (ACS) that communicates with subscriber devices using the TR-069 protocol. In addition to remotely managing customer equipment, it can also "automatically activate and configure subscribers and deliver advanced services via service packages" over mobile, fiber, cable, and other ISP networks.

"A vulnerability in the web-based GUI of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication and execute actions with administrator privileges," Cisco said in its advisory.

Attackers could exploit the vulnerability by sending API commands over HTTP to a particular URL without requiring authentication. The flaw is caused by a processing error in the role-based access control of URLs, Cisco explained.

In the past, security researchers found vulnerabilities in the TR-069 implementation of many routers that could have allowed hackers to remotely take over those devices. However, a vulnerability in an ACS like Cisco Prime Home is much worse, because it can be used to take control of entire groups of subscriber devices at once.

According to Cisco's documentation, the admin role on the Cisco Prime Home has access to the server's customer support, administration, and audit functions, as well as the ability to perform bulk operations and access utilities and reports.

The vulnerability affects Cisco Prime Home versions 6.3.0.0 and above. Customers are advised to migrate to the latest, fixed version: 6.5.0.1.

The company has also warned customers of a medium-risk URL redirect vulnerability in the Cisco Prime Service Catalog, a product that allows companies to set up self-service portals, provide IT service catalogs for data center and application services, and manage service requests.

An attacker could exploit the vulnerability to redirect a user logged into the Cisco Prime Service Catalog to a phishing site in order to steal their credentials.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cisco

Events

Why experience is the new battleground for partners

Join us for an exclusive webinar, in association with Hewlett Packard Enterprise and Technology Services Industry Association (TSIA) and learn about the latest industry insights and how technology services continue to evolve to deliver differentiated value, and how partners can be successful in 2021 and beyond.

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments