Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Fixes Severe Flaws in Prime Collaboration Product

Cisco has released updates for its Prime Collaboration Provisioning software to address critical and high severity vulnerabilities that can be exploited remotely without authentication.

Cisco has released updates for its Prime Collaboration Provisioning software to address critical and high severity vulnerabilities that can be exploited remotely without authentication.

The flaws were reported to Cisco by Andrea Micalizzi (aka rgod) through Trend Micro’s Zero Day Initiative (ZDI). Micalizzi, one of ZDI’s top contributors, was credited on Wednesday by the networking giant for finding a total of five vulnerabilities in its Prime Collaboration Provisioning product, which provides a web-based interface for managing Cisco communication services.

The most serious of the flaws, rated critical and tracked as CVE-2017-6622, allows a remote, unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

“The vulnerability is due to missing security constraints in certain HTTP request methods, which could allow access to files via the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application,” Cisco said in its advisory.

Micalizzi also discovered a high severity information disclosure vulnerability (CVE-2017-6621) in the Prime Collaboration Provisioning software. The weakness can be exploited by a remote attacker, via specially crafted HTTP requests, to obtain information that can be useful in the reconnaissance phase of an attack.

Users have been advised to update the software to versions 11.6 and 12.1 or later to address these vulnerabilities.

Cisco has also published advisories describing medium severity directory traversal vulnerabilities found by the researcher in the Prime Collaboration Provisioning software. These bugs can be leveraged to view and delete files from the system, but they are considered less severe as they can only be exploited by an authenticated attacker.

Cisco said there was no evidence that any of these flaws had been exploited in the wild.

Advertisement. Scroll to continue reading.

Cisco published nearly two dozen advisories on Wednesday, but most of them cover medium severity issues. There are only two other advisories describing high severity flaws, including a directory traversal that allows a remote attacker to read files from the Cisco TelePresence IX5000 Series filesystem.

A privilege escalation vulnerability in the Cisco Policy Suite (CPS) software has also been rated high severity, but it can only be exploited by an authenticated, local attacker.

Related: Severe Flaws Found in Cisco Management, Security Products

Related: Cisco CloudCenter Orchestrator Flaw Exploited in Attacks

Related: Cisco Patches Critical Flaw in Aironet Access Points

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.