CiscoWorks WLSE "show" CLI Linux shell privilege escalation

cisco-wlse-shell-privilege-escalation (25884) The risk level is classified as MediumMedium Risk

Description:

CiscoWorks Wireless LAN Solution Engine (WLSE) appliances running software could allow a local authenticated attacker to gain root privileges on the system, caused by a vulnerability in the 'show' application which is accessible via the Linux shell. An attacker could exploit this vulnerability to inject arbitrary shell commands and gain root privileges on the affected device or system.

Note: This vulnerability also affects other Linux-based Cisco products that utilize the 'show' applications, including Cisco Hosting Solution Engine (HSE), Cisco User Registration Tool (URT), Cisco Ethernet Subscriber Solution Engine (ESSE) and CiscoWorks2000 Service Management Solution (SMS).


Consequences:

Gain Privileges

Remedy:

For Cisco Wireless LAN Solution Engine (WLSE):
Upgrade to the latest version of the WLSE software (2.13 or later), as listed in Cisco Security Advisory cisco-sa-20060419-wlse. See References.

For other affected products:
Refer to the Cisco Security Response dated 2006 April 19 1500 UTC (GMT) for upgrade information. See References.

References:

  • Assurance.com.au - Vulnerability Advisory: Multiple vulnerabilities in Linux based Cisco products.
  • BugTraq Mailing List, Wed Apr 19 2006 - 10:15:32 CDT: Multiple vulnerabilities in Linux based Cisco products.
  • BugTraq Mailing List, Wed Apr 19 2006 - 10:42:50 CDT: Re: Multiple vulnerabilities in Linux based Cisco products.
  • Cisco Security Response 2006 April 19 1500 UTC (GMT): Response to Privilege Escalation on Multiple Cisco Products.
  • cisco-sa-20060419-wlse: Cisco Security Advisory: Multiple Vulnerabilities in the WLSE Appliance.
  • BID-17604: Cisco Wireless Lan Solution Engine ArchiveApplyDisplay.JSP Cross-Site Scripting Vulnerability
  • BID-17609: Multiple Linux-Based Cisco Products Local Privilege Escalation Vulnerability
  • CVE-2006-1961: Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express before 2.13, Hosting Solution Engine (HSE) and User Registration Tool (URT) before 20060419, and all versions of Ethernet Subscriber Solution Engine (ESSE) and CiscoWorks2000 Service Management Solution (SMS) allow local users to gain Linux shell access via shell metacharacters in arguments to the show command in the application's command line interface (CLI), aka bug ID CSCsd21502 (WLSE), CSCsd22861 (URT), and CSCsd22859 (HSE). NOTE: other issues might be addressed by the Cisco advisory.
  • OSVDB ID: 24813: Cisco Multiple Product show Command Local Privilege Escalation
  • SA19736: Cisco WLSE Privilege Escalation and Cross-Site Scripting
  • SA19739: Cisco ESSE / SMS Privilege Escalation Vulnerability
  • SA19741: Cisco Hosting Solution Engine / User Registration Tool Privilege Escalation
  • SECTRACK ID: 1015965: CiscoWorks Wireless LAN Solution Engine Cross-Site Scripting Flaw Yields Administrative Privileges and Command Line Bug Lets Remote Authenticated Users Gain Shell Access
  • VUPEN/ADV-2006-1434: CiscoWorks Wireless LAN Solution Engine (WLSE) Multiple Vulnerabilities
  • VUPEN/ADV-2006-1435: Cisco Products Command Line Interface Privilege Escalation Vulnerability

Platforms Affected:

  • Cisco CiscoWorks 2000 Service Management Solution
  • Cisco Ethernet Subscriber Solution Engine
  • Cisco Hosting Solution Engine 1.7
  • Cisco Hosting Solution Engine 1.7.0
  • Cisco Hosting Solution Engine 1.7.1
  • Cisco Hosting Solution Engine 1.7.2
  • Cisco Hosting Solution Engine 1.7.3
  • Cisco User Registration Tool
  • Cisco Wireless LAN Solution Engine 2.0 Express
  • Cisco Wireless LAN Solution Engine 2.0
  • Cisco Wireless LAN Solution Engine 2.1
  • Cisco Wireless LAN Solution Engine 2.1 Express
  • Cisco Wireless LAN Solution Engine 2.10
  • Cisco Wireless LAN Solution Engine 2.10 Express
  • Cisco Wireless LAN Solution Engine 2.11
  • Cisco Wireless LAN Solution Engine 2.11 Express
  • Cisco Wireless LAN Solution Engine 2.12 Express
  • Cisco Wireless LAN Solution Engine 2.12
  • Cisco Wireless LAN Solution Engine 2.13 Express
  • Cisco Wireless LAN Solution Engine 2.13
  • Cisco Wireless LAN Solution Engine 2.2 Express
  • Cisco Wireless LAN Solution Engine 2.2
  • Cisco Wireless LAN Solution Engine 2.3
  • Cisco Wireless LAN Solution Engine 2.3 Express
  • Cisco Wireless LAN Solution Engine 2.4
  • Cisco Wireless LAN Solution Engine 2.4 Express
  • Cisco Wireless LAN Solution Engine 2.5 Express
  • Cisco Wireless LAN Solution Engine 2.5
  • Cisco Wireless LAN Solution Engine 2.6 Express
  • Cisco Wireless LAN Solution Engine 2.6
  • Cisco Wireless LAN Solution Engine 2.7
  • Cisco Wireless LAN Solution Engine 2.7 Express
  • Cisco Wireless LAN Solution Engine 2.8 Express
  • Cisco Wireless LAN Solution Engine 2.8
  • Cisco Wireless LAN Solution Engine 2.9
  • Cisco Wireless LAN Solution Engine 2.9 Express

Reported:

Apr 19, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page