Menu
Cisco patches critical flaw in Prime Home device management server

Cisco patches critical flaw in Prime Home device management server

The vulnerability could allow hackers to take over servers used by ISPs to manage subscribers and their gateway devices

Cisco Systems has fixed a critical vulnerability that could allow hackers to take over servers used by telecommunications providers to remotely manage customer equipment such as routers.

The vulnerability affects Cisco Prime Home, an automated configuration server (ACS) that communicates with subscriber devices using the TR-069 protocol. In addition to remotely managing customer equipment, it can also "automatically activate and configure subscribers and deliver advanced services via service packages" over mobile, fiber, cable, and other ISP networks.

"A vulnerability in the web-based GUI of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication and execute actions with administrator privileges," Cisco said in its advisory.

Attackers could exploit the vulnerability by sending API commands over HTTP to a particular URL without requiring authentication. The flaw is caused by a processing error in the role-based access control of URLs, Cisco explained.

In the past, security researchers found vulnerabilities in the TR-069 implementation of many routers that could have allowed hackers to remotely take over those devices. However, a vulnerability in an ACS like Cisco Prime Home is much worse, because it can be used to take control of entire groups of subscriber devices at once.

According to Cisco's documentation, the admin role on the Cisco Prime Home has access to the server's customer support, administration, and audit functions, as well as the ability to perform bulk operations and access utilities and reports.

The vulnerability affects Cisco Prime Home versions 6.3.0.0 and above. Customers are advised to migrate to the latest, fixed version: 6.5.0.1.

The company has also warned customers of a medium-risk URL redirect vulnerability in the Cisco Prime Service Catalog, a product that allows companies to set up self-service portals, provide IT service catalogs for data center and application services, and manage service requests.

An attacker could exploit the vulnerability to redirect a user logged into the Cisco Prime Service Catalog to a phishing site in order to steal their credentials.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cisco

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments