Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches Hard-coded Password in PCP Software

Cisco this week announced the availability of software updates to address a hard-coded password vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software.

Cisco this week announced the availability of software updates to address a hard-coded password vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software.

Due to the existence of the hard-coded account password, an unauthenticated, local attacker could log into the underlying Linux operating system. The vulnerability can be abused to connect to the affected system via Secure Shell (SSH) using the hard-coded credentials.

According to Cisco, an attacker successfully exploiting the vulnerability could access the underlying operating system as a low-privileged user. However, the attacker could elevate privileges to root and take full control of the vulnerable system.

Because of the privilege escalation possibility, the vulnerability has a Security Impact Rating (SIR) of Critical, although it was also assessed with a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which would normally come with a SIR of Medium.

The vulnerability impacts Cisco PCP Software release 11.6 only and no prior builds were found to be affected by it, Cisco notes in an advisory. Impacted customers should update to Cisco PCP releases 12.1 and later, as no workarounds that address this vulnerability exist.

The company also notes that it is not aware of “any public announcements or malicious use of the vulnerability.”

This week, the company also addressed CVE-2018-0147, a Critical (CVSS base score of 9.8) vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS), which could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.

Advertisement. Scroll to continue reading.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges,” Cisco explains.

The company also addressed a High risk (CVSS base score of 7.3) bug in the FTP server of the Cisco Web Security Appliance (WSA). Due to incorrect FTP user credential validation, an unauthenticated, remote attacker could exploit the bug to log into the server without a valid password or username.

This security issue affects Cisco AsyncOS for WSA Software running any release of Cisco AsyncOS 10.5.1 for WSA Software. Cisco AsyncOS 10.5.2-042 or later releases address the flaw.

Multiple Medium severity bugs were addressed in other Cisco products.

Related: Cisco Patches Serious DoS, Injection Flaws in Several Products

Related: Cisco Fixes Severe Flaws in Prime Collaboration Product

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.