Background

In April of 2017 I discovered an information disclosure vulnerability in Cisco’s Wide Area Application Services (WAAS) product.

The WAAS software version which I tested was v6.2.3b b22, and the vulnerability exists in the Central Manager’s scheduled reporting functionality.

This vulnerability affects any platform (hardware or virtualised) running the affected versions of WAAS Central Manager.

CVE-2017-6730 was assigned to refer to this vulnerability.

CVE Summary

Cisco Wide Area Application Services Central Manager Information Disclosure Vulnerability

1
2
3
4
5
6
Product: Cisco WAAS Central Manager
Version: Multiple
Vendor: Cisco Systems, Inc
CVE-ID: CVE-2017-6730
CWE-200: Information Exposure
CVSS v3: Base Score 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

A remote user can send a request with a specially crafted report ID to the Central Manager web interface to trigger an access control flaw and obtain arbitrary completed reports that have been scheduled by a WAAS administrator via the Reports Central section of the interface.

Systems configured with the Central Manager role are affected.

Details

I discovered that an unauthenticated user was able to retrieve PDF and CSV reports from the Central Manager application if they are able to guess (or are given) report primary key IDs.

For example: Given a report primary key ID, an unauthenticated user is able to retrieve a zip file containing the report in CSV format using the following URL:

1
https://<cmIp>:8443/CM_Reports/<primaryKey>/statistics.zip

This report could contain information such as internal device hostnames, IP addresses, and WAN optimisation statistics.

PDF reports were more difficult to retrieve, because part of the URL used to get them is the report’s name, which may be more difficult to guess than the ID:

1
https://<cmIp>:8443/CM_Reports/<primaryKey>/<reportName>_WAAS_<primaryKey>.pdf

The above <primaryKey> and <reportName> values can be found (by an authenticated user) in the JSON on the line beginning with:

1
var scheduleForm_j_idt20_store = new cm.table.ItemFileWriteStore

from the URL https://<cmIp>:8443/Monitor/scheduleDashboard.xhtml

A nicer way to view this JSON is using the below:

1
curl -s -k -b $'JSESSIONID=<sessionId>' $'https://<cmIp>:8443/Monitor/scheduleDashboard.xhtml' | egrep -o "\[.*\{\"completedTimeInMillis\":.*\]" | python -m json.tool

Where <sessionId> is a currently authenticated administrator’s session ID.

The CSV and PDF reports accessible through this vulnerability should be inaccessible to unauthenticated users.

Fix Information

Cisco has provided a fix, however requires users to uphold a support contract and/or contact Cisco TAC in order to obtain the fix.

Fixed Releases

• v5.5(7b)17
• v6.2(3d)8
• v6.3(0.226)
• v6.3(0.228)

Timeline

2017-04-01

• Information disclosure vulnerability discovered.

2017-04-04

• Provided Cisco PSIRT with vulnerability information.
• Received initial response from PSIRT stating that they have assigned the case.

2017-04-05

• Received response from PSIRT stating that they have been able to replicate the issue, and that they’re working on a fix.
• PSIRT advised that they will inform once they have a firm disclosure date.

2017-06-05

• I reached out to PSIRT for an update.

2017-06-06

• Received response stating that disclosure date will be 2017-07-05.

2017-07-05

• Cisco releases cisco-sa-20170705-waas1 regarding CVE-2017-6730.
• Cisco bug ID CSCvd87574 contains information regarding software versions with the fix applied.

2018-05-29

• This post was published.

Closure

Thanks to Cisco for providing a fix for this vulnerability.

As this is my first published CVE, and my first time working with a large company on a product vulnerability, I feel like I have a lot to learn.

I’m open to any suggestions on how to structure disclosures like this better.

Let me know if there is any information that you think I may have missed.

XORcat