A vulnerability in Cisco Prime Infrastructure could allow an authenticated, remote attacker to execute arbitrary commands with root-level privileges. The vulnerability is due to improper validation of URL requests. An attacker could exploit this vulnerability by requesting an unauthorized command via a specific URL. Successful exploitation could allow an authenticated attacker to execute system commands with root-level privileges. Cisco has released software updates that address this vulnerability. A software patch that addresses this vulnerability in all affected versions is also available. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140226-pi
Major Version |
First Fixed In |
1.2 |
Upgrade to a fixed release of 1.3 or higher |
1.3 | 1.3.0.20-2 |
1.4 | 1.4.0.45-2 |
2.0 | 2.0.0.0.294-2 |
NCS1-2-1-12/admin# show version
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.1.038
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2010 by Cisco Systems, Inc.
All rights reserved.
Hostname: NCS1-2-1-12
Version information of installed applications
---------------------------------------------
Cisco Prime Network Control System
------------------------------------------
Version : 1.4.0.45
NCS1-2-1-12/admin# show version
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.1.038
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2010 by Cisco Systems, Inc.
All rights reserved.
Hostname: NCS1-2-1-12
Version information of installed applications
---------------------------------------------
Cisco Prime Network Control System
------------------------------------------
Version : 1.4.0.45-2
pi146/admin# show version
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.1.038
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2010 by Cisco Systems, Inc.
All rights reserved.
Hostname: pi146
Version information of installed applications
---------------------------------------------
Cisco Prime Network Control System
------------------------------------------
Version : 1.4.0.45
SecurityFix_CSCum71308 VERSION INFORMATION
-----------------------------------
Version : 1.0.0 Vendor: Cisco Systems, Inc.
Build Date : January 23 2014 01:24PST
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.1 | 2014-March-13 | Updated Fixed Software section to include a link to upgrade information. |
Revision 1.0 | 2014-February-26 | Initial public release |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.