Background

In March of 2018 I discovered two vulnerabilities in Cisco’s Wide Area Application Services (WAAS) product.

The WAAS software version which I found both of these in was v6.2.3c, and the vulnerabilities exist in WAAS Central Manager (CM) and WAEs (Wide Area Application Engines).

These vulnerabilities affect any platform (hardware or virtualised) running the affected versions of software.

CVEs CVE-2018-0329 and CVE-2018-0352 were assigned to refer to these vulnerabilities.

The first, CVE-2018-0329, is a hidden, hardcoded, read-only SNMP community string which the administrator is unable to view or disable. The second, CVE-2018-0352, is a local privilege escalation vulnerability which allows an user with the ‘admin’ role to elevate to the root user, normally inaccessible to anybody but Cisco themselves.

The privilege escalation vulnerability allowed me to very easily discover the hardcoded SNMP credentials.

Below, I will cover CVE-2018-0352 and then CVE-2018-0329.

CVE-2018-0352 - WAAS Local Privilege Escalation

Summary

Cisco Wide Area Application Services Local Privilege Escalation Vulnerability

1
2
3
4
5
6
Product: Cisco WAAS
Version: Multiple
Vendor: Cisco Systems, Inc
CVE-ID: CVE-2018-0352
CWE-264: Permissions, Privileges, and Access Controls
CVSS v3: Base Score 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

A user with the ‘admin’ role can escalate from the WAAS CLI into the root user of the underlying Linux system.

Root access could be used to gain covert persistence, or to provide the attacker with access to all traffic flowing through the WAAS.

All WAAS systems running the affected software version are vulnerable.

Details

Cisco WAAS restricts CLI users to an IOS-like restricted shell, and prevents access to the underlying Linux OS from everybody except Cisco TAC and engineers.

The vulnerability allows somebody authenticated as an “admin” user within WAAS’s context to escalate to the root user.

The vulnerability exists within a signed/hashed shell script distributed through CCO (Cisco Connection Online) named “disk-check.sh”, previously located here. At the time of publishing, this script has been removed from CCO.

Administrative users of a WAAS system are allowed to execute shell scripts which are signed by Cisco’s engineering/TAC team.

Signed scripts contain an MD5 hash, which the system verifies before permitting script execution.

For example, the disk-check.sh script’s final few lines are:

1
2
3
4
#-------------------------------------

exit 0
# 0a6e793cdfd207d6420cc055cda7e4ec

The contents of this script appears to be combined with a secret string which, when hashed must match the hash at the bottom of the script.

The below snippet of code contains the privilege escalation bug:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
echo -n "Continue?[yes/no]"
if [ "$1" = "yes" ]; then
        ans='yes'
else
        read ans
fi

while [ "$ans" != 'yes' -a "$ans" != 'no' ]; do
        echo -n "Please enter yes or no: "
        read ans
done

if [ "$ans" = 'no' ]; then
        echo "Disk check aborted"
        exit 0
fi

echo "Please disk_status.txt after reboot for result summary"

TMP_SCRIPT=/tmp/check_disk.sh

if [ "$0" != $TMP_SCRIPT ]; then
        cp $0 $TMP_SCRIPT
        chmod a+x $TMP_SCRIPT
        cd /tmp
        su root<<EOF
nohup $TMP_SCRIPT yes > /tmp/nohup.out &

The bug is that the script is verified when initially launched with the script execute disk-check.sh command, however re-executes itself as root after copying itself to the /tmp directory.

Because the script asks for user input before escalating itself to root privileges, an attacker with ‘admin’ access is able to copy their own malicious shell script on top of the disk-check.sh script while the script is waiting for permission from the user to continue.

Once the user types “yes”, indicating that the script should continue, the script will take a copy of the malicious disk-check.sh, and execute it as the root user.

From here, an attacker is able to gain root persistence, and take ultimate control of the WAAS system, outside of the control of the WAAS administrator.

Fix Information

Cisco has provided a fix, however requires users to uphold a support contract and/or contact Cisco TAC in order to obtain the fix.

Fixed Releases

• v5.5(7c)6
• v6.2(3e)40
• v6.4(1b)9
• v6.4(1c)12
• v6.4(3.66)

The provided fix supposedly changes the script signing and validation method used. Because of this, scripts signed using the previous method will no longer run in WAAS releases containing the fix. Cisco TAC will update scripts as customers who require them contact them.

CVE-2018-0329 - WAAS Hardcoded SNMP Credentials

Summary

Cisco Wide Area Application Services Hardcoded SNMP Credentials

1
2
3
4
5
6
Product: Cisco WAAS
Version: Multiple
Vendor: Cisco Systems, Inc
CVE-ID: CVE-2018-0329
CWE-798: Use of Hard-coded Credentials
CVSS v3: Base Score 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

The system contains a hidden, hardcoded, read-only SNMP string.

All WAAS systems running the affected software version are vulnerable.

Details

The hardcoded SNMP string can be found in /etc/snmp/snmpd.conf.

This string can not be discovered or disabled without access to the root filesystem, which regular administrative users do not have under normal circumstances.

An unauthenticated, remote attacker could use this string to retreive statistics and system information from the WAAS systems.

Fix Information

Cisco has provided a fix, however requires users to uphold a support contract and/or contact Cisco TAC in order to obtain the fix.

Fixed Releases

• v6.2(3e)31
• v6.4(1b)15
• v6.4(3.46)

Timeline

2018-03-07

• Both vulnerabilities discovered.

2018-03-11

• Provided Cisco PSIRT with vulnerability information on the hardcoded SNMP credential.

2018-03-12

• Received initial response from PSIRT stating that they have created the case.

2018-03-13

• Received further response from PSIRT stating that they have assigned the case.

2018-03-21

• PSIRT requested information on how I gained access to the snmpd.conf configuration file.

2018-03-22

• I responded, stating that I have discovered a privilege escalation to root, and that I’m planning to provide this information to PSIRT shortly.

2018-03-29

• Provided Cisco PSIRT with vulnerability information on the privilege escalation.
• Received initial response from PSIRT stating that they have created and assigned the case.

2018-04-10

• I reached out asking for a progress update.

2018-04-16

• PSIRT responded stating that they are planning to disclose the hardcoded SNMP credential on 2018-05-16.

2018-05-08

• PSIRT reached out, stating that the disclosure will be delayed until 2018-06-06.
• I agree to delay disclosure.

2018-05-29

• PSIRT state that the privilege escalation will be disclosed on 2018-06-06.
• PSIRT provides CVE numbers for both vulnerabilities.

2018-06-07

• Cisco releases cisco-sa-20180606-waas-snmp and cisco-sa-20180606-waas-priv-escalation
• Cisco bug IDs CSCvi40137 and CSCvi72673 contain information regarding software versions with fixes applied.

Closure

Thanks to Cisco for the quick fixes.

XORcat