Cisco Prime Collaboration Provisioning (PCP) application allows administrators to remotely command the installation too management of Cisco communication devices (integrated IP telephony, video, voicemail) deployed inwards the society too services for its subscribers.
The vulnerability (CVE-2018-0141) is due to a hard-coded password for Secure Shell (SSH), which could last exploited yesteryear a local assailant to connect to the PCP's Linux operating organisation too make low-level privileges.
Cisco PCP Hard-Coded Password Flaw
According to an advisory released yesteryear Cisco, amongst low-level privileges, an assailant could too hence lift its privileges to root too accept amount command of the affected devices.
Although this vulnerability has been given a Common Vulnerability Scoring System (CVSS) base of operations grade of 5.9 out of 10, Cisco has rated this põrnikas every bit critical, every bit at that spot are "extenuating circumstances" that could permit attackers to lift their privileges to root.
The society itself detected this põrnikas during "internal safety testing," too said that it solely affects PCP version 11.6, released inwards Nov 2016.
Along amongst other safety patches for its other products, Cisco has patched this vulnerability amongst the free of Cisco PCP software version 12.1.
Cisco Secure ACS Remote Code Execution Flaw
Besides Cisco PCP flaw, the society has also patched a critical Java deserialization vulnerability affecting its Secure Access Control System (ACS), a production that offers authentication, accounting, too ascendence services to network devices.
Cisco Secure ACS flaw (CVE-2018-0147) could permit an unauthenticated assailant to remotely execute malicious code on vulnerable devices amongst root privileges without requiring whatsoever credential, the society said inwards its advisory.
This vulnerability has been given a Common Vulnerability Scoring System (CVSS) base of operations grade of 9.8 out of 10, rated every bit critical, every bit it allows attackers to execute arbitrary commands on the affected device amongst "root" privileges.
This flaw affects all versions of Cisco Secure ACS earlier free 5.8 piece 9. However, systems running Cisco Secure ACS version 5.8 Patch seven or Patch 8 ask authentication inwards lodge to exploit this vulnerability, which has been given a CVSS base of operations grade of 8.8.
This vulnerability has been fixed inwards Cisco Secure ACS 5.8.0.32.9 Cumulative Patch.
The society is strongly encouraging users to update their software to the latest versions every bit shortly every bit possible, every bit at that spot are no workarounds to piece these vulnerabilities.
