Cisco Prime Infrastructure and Evolved Programmable Network Manager Remote Code Execution Vulnerabilities

Cisco Prime Infrastructure and Evolved Programmable Network Manager

On May 15th, Cisco officially issued a security notice stating that three high-risk vulnerabilities (CVE-2019-1821, CVE-2019-1822, CVE-2019-1823) existed in Cisco Prime Infrastructure and Evolved Programmable Network Manager. These vulnerabilities stem from software that does not properly validate and filter user input. An attacker can trigger a malicious file upload to the administrator interface. Success can cause an attacker to execute code with root privileges on the attacked system.

Cisco Prime Infrastructure and Evolved Programmable Network Manager

CVSS: 3.0 Base 9.8

AV: N/AC: L/PR: N/UI: N/S: U/C: H/I: H/A: H/E: X/RL: X/RC: X

Affected version

  • Cisco PI Software Releases < 3.4.1
  • Cisco PI Software Releases < 3.5
  • Cisco PI Software Releases < 3.6
  • EPN Manager Releases < 3.0.1

Unaffected version

  • Cisco PI Software Releases == 3.4.1
  • Cisco PI Software Releases == 3.5
  • Cisco PI Software Releases == 3.6
  • EPN Manager Releases 3.0.1

Solution

Cisco has released the corresponding new version to fix the above vulnerability. Users should update Cisco Prime Infrastructure and Evolved Programmable Network Manager to an unaffected version.