Cisco CSP2100 Authentication Bypass

Product Cisco Cloud Service Platform 2100
Severity Medium
CVE Reference CVE-2017-12251
Type Authentication Bypass

Description

The Cisco CSP 2100 is a network infrastructure service platform. It is a device capable of hosting multiple network services, such as firewalls or other network security appliances, to enable users to create agile, virtual networks to support cloud operations. The Cisco CSP 2100 has web, API and CLI interfaces which can be used to configure and monitor the device. Furthermore, virtual web consoles are also deployed for each hosted service operating on the CSP 2100.

MWR have discovered an authentication bypass issue which enables an unauthenticated user with network access to the CSP 2100 to access the virtual web console for each host.

Impact

Where CSP 2100 web consoles are left logged in, this authentication bypass issue gives an attacker the ability to interact with the command line environments of hosted services on the CSP 2100. As the CSP 2100 is typically used to host firewalls and other network security appliances, this could be used to manipulate the configuration of these virtual network services to the detriment of the security posture of networks that depend on these services. In MWR's experience of this issue approximately 40-50% of web consoles were in a logged in state, typically as a root user, enabling full access to the virtual services.

Cause

The CSP 2100 operates a HTTPS administrative web interface and a virtual console web interface. The virtual console web interface does not properly validate a user's credentials or session validity. This is because token used to convey session validity between the two web interfaces is a time based token, with no shared secret or similar security mechanism. This means that an attacker can feasibly guess or determine a valid token value and use it to gain access to the virtual web consoles on the CSP 2100.

Interim Workaround

If it is not possible to apply the vendor patch an alternate remediation to limit the impact of this issue would be ensuring that users logout of their virtual web console sessions.

Solution

The vulnerability is fixed in Cisco Cloud Services Platform release 2.2.3 or later. The software can be downloaded from the Software Center on Cisco.com by navigating to Downloads Home > Products > Switches > Virtual Networking > Cloud Services Platform 2100.

Technical details

Please see attached advisory PDF for technical details.

Disclosure Timeline

Date Summary
10/05/2017 Issue discovered by MWR
30/05/2017 Issue reported to Cisco
20/06/2017 Issue confirmed by Cisco
18/10/2017 Public disclosure of issue and patch release