Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Patches 'Prime Home' Flaw That Allowed Hackers To Reach Into People's Homes (helpnetsecurity.com)

Posted by BeauHD on from the at-arm's-length dept.

Orome1 quotes a report from Help Net Security: Cisco has patched a critical authentication bypass vulnerability that could allow attackers to completely take over Cisco Prime Home installations, and through them mess with subscribers' home network and devices. The vulnerability (CVE-2017-3791), found internally by Cisco security testers, affects the platform's web-based GUI, and can be exploited by remote attackers to bypass authentication and execute any action in Cisco Prime Home with administrator privileges. No user interaction is needed for the exploit to work, and exploitation couldn't be simpler: an attacker just needs to send API commands via HTTP to a particular URL. The bug exists in versions 6.4 and later of Cisco Prime Home, but does not affect versions 5.2 and earlier. "Administrators can verify whether they are running an affected version by opening the Prime Home URL in their browser and checking the Version: line in the login window. If currently logged in, the version information can be viewed in the bottom left of the Prime Home GUI footer, next to the Cisco Prime Home text," Cisco instructed in the security advisory.

19 comments

  1. Only apps can app apps! by Anonymous Coward · · Score: 0

    Apps!

  2. theres a prime flaw in my pants by Anonymous Coward · · Score: 0

    i can reach in them and grab root at any time!

  3. So much for Cisco being more secure... by bobbied · · Score: 1

    So are they are more secure than the next guy? Not really, they have bugs too (not to mention they designed a lot of the really scary protocols running around the net that sacrifice security all the time).

    I guess you can give them kudos for finding an issue then fixing it too... Just don't try to find the updated firmware for that old router you have w/o a service contract..

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:So much for Cisco being more secure... by Anonymous Coward · · Score: 0

      Cisco just FINALLY updated the ASA's to not use MD5 hashes anymore. They are hardly secure.

    2. Re:So much for Cisco being more secure... by rubycodez · · Score: 1

      Cisco is quite a bit less secure than many competing companies, they have just been riding the name recognition for years.

    3. Re:So much for Cisco being more secure... by TheGratefulNet · · Score: 1

      I worked at cisco back in the early 90's when it was 3 buildings in menlo park. I later returned about 2 yrs ago for a short contract job.

      the company change was night and day, of course (they now have over 25 buildings in san jose, alone). what I noticed is that they no longer have the 'best and brightest' but they are an h1b farm, pretty much.

      do you want crappy code and bugs? cause this is how you get crappy code and bugs....

      cisco is a has-been, for the most part. some smart people are still there, but mostly its a 9-5 job with average people doing the needful, then going home. no one really cares, from what I could see when I was there last. and if you dare DO care, they cancel you or fire you.

      I would never recommend people buy cisco anymore unless its the only product that will do what you want; and other than core routers, I'm not sure they have any products that are 'must have's.

      --

      --
      "It is now safe to switch off your computer."
    4. Re:So much for Cisco being more secure... by Anonymous Coward · · Score: 0

      I'm in a similar situation and can totally confirm this. Cisco stopped being anything special MANY years ago. The biggest way to get into trouble at Cisco nowadays is to call somebody on stupidity.

      On the other hand, their code quality is probably better than 99 percent of new companies, which don't care about anything but getting the MVP out the door.

    5. Re:So much for Cisco being more secure... by rubycodez · · Score: 1

      other companies make core routers, I'd strongly recommend looking at Juniper or see if Nokia, Ericsson, Extreme Networks, Huawei, ZTE products can fit your need

  4. Prime Home by turkeydance · · Score: 1

    best new Comedy show on NBC!

  5. Disallow internet - CPE by Anonymous Coward · · Score: 0

    I'm an ISP with about 1400 customers. My default policy is to disallow inbound http, https, snmp, smtp, and other management or ddos abusable protocols, and for exactly this reason of never ending exploitable vulnerabilities in CPE. I offer the option to anyone who asks, to remove this block for their account. I can't remember anyone who has ever called to complain yet that the filtering was stopping them from some legitimate use of their service. I think it's long past since time when end users should be directly addressable / unfiltered.

    1. Re: Disallow internet - CPE by Anonymous Coward · · Score: 0

      Thanks buddy, do you also sell vps to escape from your end user prison, or should I just go shopping at lowendbox?

    2. Re: Disallow internet - CPE by Anonymous Coward · · Score: 0

      Why don't you block everything inbound?

    3. Re: Disallow internet - CPE by Anonymous Coward · · Score: 0

      Just double NAT everything. NAT is security, don't you know.

    4. Re: Disallow internet - CPE by Anonymous Coward · · Score: 0

      It's more legit than w/e that isp dude was talking about with blocking a few ports only.

    5. Re: Disallow internet - CPE by Anonymous Coward · · Score: 0

      If you bothered to read, it says you can simply ask to have the filter dropped. So, no I don't. I just provide instructions, which you obviously don't read.

    6. Re: Disallow internet - CPE by Anonymous Coward · · Score: 0

      No, the management port blocking is effective and routinely enables customer CPE to be effectively immunized against flavor of the week remote exploitation. Nat is not security and is nowhere near as effective as simply dropping inbound device management and DDoS exploitable protocols in the first place. But since you either didn't read or dont understand, perhaps you are just a waste of time and deserve to get pwned.

  6. Based on hundreds of thousands of vulns, yes by raymorris · · Score: 1

    > So are they are more secure than the next guy?

    I manage a vulnerable assessment system. We have hundreds of thousands of distinct vulnerabilities in our database, which we look for on the hundreds of thousands of devices we scan every week. I've been working full time in network security for 18 years. Based on the data I have, yes Cisco is *more secure* than most. Especially if the administrator pays attention to security - Cisco provides many, many ways to make your network more secure.

    >> Not really, they have bugs too

    Anything that has code has bugs. Even most things that DON'T have code have bugs - the average home has more than 100 different kinds of bugs living in it.

    It seems perhaps you have some kind of hard-on for criticizing Cisco. That's cool. If you care at all about intellectual honesty, you can point out that Cisco tends to be quite expensive. You could point out that they don't have perfect security. They do definitely do well above average, however, in my experience testing the security of corporate networks.

    1. Re:Based on hundreds of thousands of vulns, yes by Anonymous Coward · · Score: 0

      Yep. They're above average.

      The big shame is that "average" is absolute shit.

  7. I propose a new acronym by Opportunist · · Score: 2

    Intelligent Devices for the Internet Of Things, or in short IDIOT

    Also applicable to anyone buying something from that product group.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.