SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Cisco Prime Network Analysis Module Directory Traversal Vulnerability (Dec 21, 2017)


Cisco Prime Network Analysis Module (NAM) is a network management software that allows network administrators with multifaceted visibility to help optimize network resources, troubleshoot performance issues, and deliver a consistent enduser experience.

A directory traversal vulnerability has been reported in the Cisco Prime Network Analysis Module. Because an input validation bug when processing certain HTTP parameters, an attacker could send a certain crafted HTTP request to graph.php to gain access to any file/folder accessible to the web service, and even delete any file if the permission is allowed to the web service.

The file graph.php in Cisco Prime Network Analysis Module is used for displaying graphic elements such as charts on the webpage. This file has a module of reading local files inside /tmp. The name of the file in /tmp directory will be specified by the sfile parameter. However, the graph.php lacks necessary filtering on this parameter. When a request is set with "../", it could access files outside the web folder, causing a directory traversal vulnerability. What makes things worse is, the HTTP request is used for deleting a file. That means an unauthenticated attacker could cause decent damage on the target server.

// open file
if(!file_exists($sfile) || !($f = fopen($sfile, "r")))
{ error_log("Stat file not found: $sfile");
exit; }

// read file
while(!feof($f) && strncmp(fgets($f, 2000), "| Interval ", 12)) // skip other stats {;}
fgets($f, 2000);
$j = 0;
$bytes = array();
{ $s = fgets($f, 2000);
  $s = substr($s , strrpos($s, "| "));
  $s = substr($s, 1, -2);
  $bytes[$j++] = (int)trim($s);

// only checks if the path starts with /tmp/, if so, delete the file.
// no filter on the parameter 
if(strncmp($sfile, "/tmp/", 5)==0) unlink($sfile);

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13122: Cisco Prime Network Analysis Module graph sfile Directory Traversal

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2018 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.13 | S2MSW05