Cisco Prime Collaboration Provisioning (PCP) application allows administrators to remotely command the installation as well as management of Cisco communication devices (integrated IP telephony, video, voicemail) deployed inwards the companionship as well as services for its subscribers.
The vulnerability (CVE-2018-0141) is due to a hard-coded password for Secure Shell (SSH), which could hold upward exploited past times a local assailant to connect to the PCP's Linux operating organization as well as hit low-level privileges.
Cisco PCP Hard-Coded Password Flaw
According to an advisory released past times Cisco, alongside low-level privileges, an assailant could hence lift its privileges to root as well as accept sum command of the affected devices.
Although this vulnerability has been given a Common Vulnerability Scoring System (CVSS) base of operations grade of 5.9 out of 10, Cisco has rated this põrnikas equally critical, equally at that spot are "extenuating circumstances" that could let attackers to lift their privileges to root.
The companionship itself detected this põrnikas during "internal safety testing," as well as said that it exclusively affects PCP version 11.6, released inwards Nov 2016.
Along alongside other safety patches for its other products, Cisco has patched this vulnerability alongside the liberate of Cisco PCP software version 12.1.
Cisco Secure ACS Remote Code Execution Flaw
Besides Cisco PCP flaw, the companionship has also patched a critical Java deserialization vulnerability affecting its Secure Access Control System (ACS), a production that offers authentication, accounting, as well as authority services to network devices.
Cisco Secure ACS flaw (CVE-2018-0147) could let an unauthenticated assailant to remotely execute malicious code on vulnerable devices alongside root privileges without requiring whatever credential, the companionship said inwards its advisory.
This vulnerability has been given a Common Vulnerability Scoring System (CVSS) base of operations grade of 9.8 out of 10, rated equally critical, equally it allows attackers to execute arbitrary commands on the affected device alongside "root" privileges.
This flaw affects all versions of Cisco Secure ACS earlier liberate 5.8 piece 9. However, systems running Cisco Secure ACS version 5.8 Patch seven or Patch 8 involve authentication inwards club to exploit this vulnerability, which has been given a CVSS base of operations grade of 8.8.
This vulnerability has been fixed inwards Cisco Secure ACS 5.8.0.32.9 Cumulative Patch.
The companionship is strongly encouraging users to update their software to the latest versions equally shortly equally possible, equally at that spot are no workarounds to piece these vulnerabilities.
