Cisco has pushed out fixes for security vulnerabilities in a wide variety of its products, including two critical flaws in its Secure Access Control System (ACS) and its Prime Collaboration Provisioning (PCP) software.
About the vulnerabilities
The vulnerability (CVE-2018-0141) in the Cisco Prime Collaboration Provisioning software was found during internal security testing and is due to a hard-coded account password on the system.
“An attacker could exploit this vulnerability by connecting to the affected system via Secure Shell (SSH) using the hard-coded credentials. A successful exploit could allow the attacker to access the underlying operating system as a low-privileged user. After low-level privileges are gained, the attacker could elevate to root privileges and take full control of the device,” the company explained.
While the vulnerability can’t be exploited remotely and only allows low-privilege access, “there are extenuating circumstances that allow an attacker to elevate privileges to root,” they noted. And so the flaw is deemed to be critical.
It affects only version 11.6 of the software, and has been now fixed in releases 12.1 and later.
The vulnerability (CVE-2018-0147) in the Cisco Secure Access Control System can be exploited remotely by an unauthenticated attacker and can be used to achieve remote code execution with root privileges.
“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object,” the company explained.
It affects all releases of Cisco Secure ACS prior to release 5.8 patch 9. Its exploitation potential is lesser on Cisco Secure ACS systems running release 5.8 Patch 7 or Patch 8, as it the user needs to be authenticated to pull off the compromise.
The vulnerability has been fixed in Cisco Secure ACS 126.96.36.199.9 Cumulative Patch.
Positive Technologies researchers Mikhail Klyuchnikov and Yury Aleynov have been credited with the discovery of the flaw.
Meltdown and Spectre updates
Cisco has been regularly updating the advisory on the CPU side-channel information disclosure vulnerabilities dubbed Meltdown and Spectre since they were first publicly identified in January 2018.
In the latest update, the company has updated the Vulnerable Products table with estimated availability dates for the delivery of fixed software for Cisco UCS Servers.