A critical vulnerability in a dozen Cisco collaboration products based on the Cisco Voice Operating System (VOS) could allow unauthenticated, remote attackers to gain access to an affected device.
“An attacker who can access an affected device over SFTP while it is in a vulnerable state could gain root access to the device. This access could allow the attacker to compromise the affected system completely,” the company warned.
Among the affected products are the call control and session management solution Cisco Unified Communications Manager (UCM), social media customer care solution Cisco SocialMiner, and conversation recording and storage solution Cisco MediaSense.
The problems stems from a flawed upgrade mechanism.
“The vulnerability occurs when a refresh upgrade or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password,” the company explained.
“If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action. Engineering Special Releases that are installed as COP files, as opposed to the standard upgrade method, do not remediate this vulnerability.”
There are no workarounds to fix the flaw, but Cisco has released software updates that address this vulnerability. The security advisory also contains detailed instructions on how to check which upgrade or migration method was used.
The vulnerability was discovered and reported by Quentin Rhoads-Herrera, Penetration Tester Team Lead at US insurance and financial services conglomerate State Farm, and his colleague Rich Mirch.
The Cisco PSIRT says that they are “not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.”