Saturday, March 24, 2018

Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw

Cisco patches two serious authentication bugs and a Java deserialization flaw.



Cisco has released an update for a critical flaw affecting its Secure Access Control System (ACS) and Cisco Prime Collaboration Provisioning (PCP) software.

PCP, which is used for installing Cisco collaboration and TelePresence components, has a hard-coded password bug that could allow a local attacker to gain root privileges and take control of a PCP device.

Using the hardcoded password an attacker could log in to the PCP's Linux operating system via SSH as a low-privileged user, and from there, elevate to root.

That's why Cisco is rating the bug as critical even though it only has a Common Vulnerability Scoring System (CVSS) base score of 5.9 out of 10.

Cisco says in its advisory that only PCP release 11.6, released in November 2016, is affected. Admins can check the release number by logging into the PCP interface, clicking Settings and then About.

The second critical flaw affects Cisco's Secure Access Control System (ACS) and could allow a remote, unauthenticated attacker to execute arbitrary comments on the device with root privileges.

"The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object," Cisco said.

All versions before Cisco Secure ACS 5.8 patch 9 are affected by the flaw. Admins can use the ACS command-line interface to find out which ACS version the device is running or use the ACS web interface and click the About link.

However, Cisco notes that exploiting the bug on Secure ACS systems running release 5.8 Patch 7 or Patch 8 requires authentication.

The DHS's US-CERT also recommends admins review a high-severity issue affecting the FTP server of the Cisco Web Security Appliance (WSA). An unauthenticated attacker could log in to an affected device without a valid username or password, according to Cisco.

In total, Cisco released fixes for 22 vulnerabilities yesterday, the remainder being medium severity issues.




No comments:

Post a Comment