Remote unauthenticated control over a vulnerable ISP’s gear, could allow an attacker to log into the software as an administrator and remotely take control of thousands upon thousands of customers’ home routers, broadband gateways and similar boxes.
Cisco said ,The vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication.
An exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges.
Note that “administrator” was italicized by the networking giant. Super serious.
Cisco pitches Prime Home as a “solution” for ISPs and connected device vendors, allowing companies to control devices such as ISP-issued cable modems, routers, and set top boxes in subscribers‘ homes from afar. It uses “Broadband Forum’s TR-069 suite of protocols to provision and manage in-home devices.”
That means that a successful attack on an ISP’s installation of Prime Home would allow a criminal to take administrator-level control of the Prime Home GUI and meddle with all the devices connected to that particular service.
As there are no workarounds or mitigations for the bug, Cisco is recommending that administrators install the update as soon as possible.
Now, imagine you’re an ISP, providing home networking equipment to hundreds of thousands of customers, helping computers, smart TVs, gaming consoles, phones, and other IoT devices connect at high speed to the net. You want a way of remotely managing and supporting that huge number of customer sites.
Which is often not as bad as it sounds. They have the resources to keep on top of security issues and manage your net connection without increasing your risks.
“Administrators can verify whether they are running an affected version by opening the Prime Home URL in their browser and checking the ‘Version:’ line in the login window,” Cisco says.
“If currently logged in, the version information can be viewed in the bottom left of the Prime Home GUI footer, next to the Cisco Prime Home text.”
“All versions of the software – from v6.3.0.0 to below – should be updated. The bug is designated CVE-2017-3791 and CWE-287.”
Also Cisco said , In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Fixed Software
Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license.
By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
