CVE-2018-0352

Vulnerability

The vulnerability resides in the Cisco-provided scripts disk-check.sh and harcap.sh for Cisco Wide Area Application Services (WAAS) Software [1]. These scripts are part of the Disk Check Tool and are executed with elevated privileges. The flaw is due to insufficient validation of script files that are executed in the context of these tools. An attacker with valid super user (level 15) credentials can exploit this by replacing one of the script files with a malicious script while the tool is running. The vulnerability affects Cisco WAAS Software releases prior to the fixed version provided in the advisory [1].

Exploitation

To exploit, an attacker must have authenticated local access to the device with super user privileges (level 15) [1]. While the Disk Check Tool is executing, the attacker replaces a legitimate script file (e.g., disk-check.sh or harcap.sh) with a malicious script. The tool then executes the malicious script without proper validation, allowing the attacker to execute arbitrary commands with the privileges of the tool [1]. The attack requires precise timing to replace the file during execution, but no additional user interaction is needed beyond the initial authentication.

Impact

Successful exploitation grants the attacker root-level privileges on the affected Cisco WAAS device [1]. This results in complete compromise of confidentiality, integrity, and availability, as the attacker can take full control of the device, install malware, modify system files, or disrupt services.

Mitigation

Cisco has released software updates to address this vulnerability; users should upgrade to the fixed version as specified in the advisory [1]. No workarounds are available [1]. The advisory also notes that the vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog as of the last update.