Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Fixes Severe Flaws in Prime Collaboration Product

Cisco has released updates for its Prime Collaboration Provisioning software to address critical and high severity vulnerabilities that can be exploited remotely without authentication.

Cisco has released updates for its Prime Collaboration Provisioning software to address critical and high severity vulnerabilities that can be exploited remotely without authentication.

The flaws were reported to Cisco by Andrea Micalizzi (aka rgod) through Trend Micro’s Zero Day Initiative (ZDI). Micalizzi, one of ZDI’s top contributors, was credited on Wednesday by the networking giant for finding a total of five vulnerabilities in its Prime Collaboration Provisioning product, which provides a web-based interface for managing Cisco communication services.

The most serious of the flaws, rated critical and tracked as CVE-2017-6622, allows a remote, unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

“The vulnerability is due to missing security constraints in certain HTTP request methods, which could allow access to files via the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application,” Cisco said in its advisory.

Micalizzi also discovered a high severity information disclosure vulnerability (CVE-2017-6621) in the Prime Collaboration Provisioning software. The weakness can be exploited by a remote attacker, via specially crafted HTTP requests, to obtain information that can be useful in the reconnaissance phase of an attack.

Users have been advised to update the software to versions 11.6 and 12.1 or later to address these vulnerabilities.

Cisco has also published advisories describing medium severity directory traversal vulnerabilities found by the researcher in the Prime Collaboration Provisioning software. These bugs can be leveraged to view and delete files from the system, but they are considered less severe as they can only be exploited by an authenticated attacker.

Cisco said there was no evidence that any of these flaws had been exploited in the wild.

Advertisement. Scroll to continue reading.

Cisco published nearly two dozen advisories on Wednesday, but most of them cover medium severity issues. There are only two other advisories describing high severity flaws, including a directory traversal that allows a remote attacker to read files from the Cisco TelePresence IX5000 Series filesystem.

A privilege escalation vulnerability in the Cisco Policy Suite (CPS) software has also been rated high severity, but it can only be exploited by an authenticated, local attacker.

Related: Severe Flaws Found in Cisco Management, Security Products

Related: Cisco CloudCenter Orchestrator Flaw Exploited in Attacks

Related: Cisco Patches Critical Flaw in Aironet Access Points

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.