Cisco Mobility Services Engine Privilege Escalation Vulnerability

Available Languages

Updated:November 4, 2015
Document ID:1454773642496743

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Cisco Security Advisory

Cisco Mobility Services Engine Privilege Escalation Vulnerability

High
Advisory ID:
cisco-sa-20151104-privmse
First Published:
2015 November 4 16:00 GMT
Version 1.0:
Final
Workarounds:
No workarounds available
Cisco Bug IDs:
CSCuv40504
CVE-2015-4282
CWE-264
CVSS Score:
Base 6.8, Temporal 6.5Click Icon to Copy Verbose Score
AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:U/RC:C
CVE-2015-4282
CWE-264

Summary

  • A vulnerability in the installation procedure of the Cisco Mobility Services Engine (MSE) appliance could allow an authenticated, local attacker to escalate to the root level.

    The vulnerability is due to incorrect installation and permissions settings on binary files during the MSE physical or virtual appliance install procedure. An attacker could exploit this vulnerability by logging into the device and escalating their privileges. A successful exploit could allow the attacker to acquire root-level privileges and take full control of the device.

    Cisco has released software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. 

    This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-privmse

Affected Products

  • Vulnerable Products

    Cisco Mobility Services Engine (MSE) versions 8.0.120.7 and earlier are vulnerable. Administrators can use a command to determine whether a vulnerable version of Cisco MSE is running. Prior to 10.0, the command is getserverinfo. For 10.0 and later, the command is cmxctl version. The following examples show an MSE running versions 8.0.120.1 and 10.2.0:

    [mse]# getserverinfo 
    
Health Monitor is running
    
Retrieving MSE Services status.
    
MSE services are up, getting the status
    

    
-------------
    
Server Config
    
-------------
    

    
Product name: Cisco Mobility Service Engine
    
Version: 8.0.120.1
    
Health Monitor Ip Address: 1.1.1.1
    
High Availability Role: 1
    
Hw Version: V01
    
Hw Product Identifier: AIR-MSE-3365-K9
    
Hw Serial Number: FCH1841V0YL
    

    
[mse]# cmxctl version
    
----------------------------------------------------------------------
    
Build Version   : 10.2.0
    
Build Time       : 2015-10-19 11:20:06.632222
    
----------------------------------------------------------------------

    Products Confirmed Not Vulnerable

    No other Cisco products are currently known to be affected by this vulnerability.

Indicators of Compromise

  • If authentication, accounting, and authorization (AAA) server logs indicate that an authenticated user is performing actions at a higher privilege level than their originally assigned role, it could indicate that the device has been compromised. In particular, the authenticated user can obtain root privilege; therefore, all commands executed at the root level should be monitored.

Workarounds

  • There are no workarounds that mitigate this vulnerability.

Fixed Software

  • When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. 

    The following advisories are part of the November 2015 Cisco MSE Security Advisory Companion Publications: 
    Software Download 

    The Cisco MSE Static Credential Vulnerability is fixed in all versions after 8.0.120.7. The latest Cisco MSE software can be downloaded from the Software Center on Cisco.com by visiting http://www.cisco.com/cisco/software/navigator.html and selecting:

     Products > Wireless > Mobility Services > Mobility Services Engine

Exploitation and Public Announcements

  • The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

  • Cisco would like to thank security researcher Jeremy Brown and Beyond Security’s SecuriTeam Secure Disclosure (SSD) group for discovering and reporting this vulnerability.

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

URL

Revision History

  • Version Description Section Status Date
    1.0 Initial public release. Final 2015-November-04
    Show Less

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications