Cisco just patched a critical SQL injection vulnerability residing in the web framework code of theCisco Prime License Manager (PLM) designed to help administrators to manage user licenses on an enterprise-wide scale.
Potential remote attackers could execute arbitrary SQL queries on vulnerable machines after successfully exploiting the CVE-2018-15441 security issue.
According to Cisco's advisory detailing this SQL injection security bug in theCisco Prime License Manager solution, the issue resides in the "lack of proper validation of user-supplied input in SQL queries."
Cisco also says that "An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application."
Furthermore, adversaries that manage to use an exploit to compromise a vulnerable target can also delete or modify any data within Prime License Manager's database, as well as obtain shell access with the system privileges of the postgresuser account.
There are no known workarounds to mitigate this vulnerability at the moment, but Cisco has already released software updates which address the vulnerability.
This vulnerability impacts only PLM 11.0.1 or later installationsThe CVE-2018-15441 security issue impacts CiscoPrime License Manager 11.0.1 and later, with both coresident and standalone deployments being affected.
In coresident configurations, theCiscoPrime License Manager solution is installed as part of theCiscoUnified Communications Manager and CiscoUnity Connection suites.
Moreover,becauseCisco PLM is not included within versions 12.0 or later of CiscoUnity Connection and CiscoUnified Communications Manager, these versions of the two suites are not impacted by this SQL injection vulnerability.
"The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory" also says the advisory.