Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Patches Severe Vulnerabilities in Prime Collaboration Provisioning

Cisco informed customers this week that it has patched one critical and five high severity vulnerabilities in Prime Collaboration Provisioning (PCP), a web-based provisioning solution that allows organizations to manage their communications services.

Cisco informed customers this week that it has patched one critical and five high severity vulnerabilities in Prime Collaboration Provisioning (PCP), a web-based provisioning solution that allows organizations to manage their communications services.

The critical flaw, CVE-2018-0321, allows a remote and unauthenticated attacker to access the Java Remote Method Invocation (RMI) system and perform actions that affect both the PCP and the devices connected to it.

The list of high severity vulnerabilities affecting PCP includes two issues that allow an unauthenticated attacker to reset the password on affected systems and gain admin-level privileges by sending a specially crafted password reset request.

Another high severity bug allows an unauthenticated attacker to execute arbitrary SQL queries. The remaining high severity vulnerabilities are access control issues that allow authenticated attackers to elevate their privileges.

Users can patch all the PCP vulnerabilities by updating to version 12.3, but fixes for some of these flaws are included in versions 12.1 and 12.2. The security holes have been identified by Cisco during internal security testing and there is no evidence of exploitation in the wild.

Cisco also fixed a critical vulnerability, tracked as CVE-2018-0315, it the authentication, authorization, and accounting (AAA) security services of Cisco IOS XE software. An attacker can exploit this flaw remotely to execute arbitrary code on a device or cause a denial-of-service (DoS) condition.

Other high severity problems patched this week include DoS vulnerabilities in IP Phone and Adaptive Security Appliance (ASA) products, a security bypass in Cisco Web Security Appliance (WSA), and a command execution vulnerability in Network Services Orchestrator (NSO).

Cisco’s advisories also describe an information disclosure bug in Meeting Server, and a DoS vulnerability impacting multiple products.

Advertisement. Scroll to continue reading.

Patches are available for all these flaws and there is no evidence of malicious exploitation.

Related: Cisco Patches Critical Code Execution Flaw in Security Appliances

Related: Cisco Patches Critical Flaws in WebEx, UCS Director

Related: Critical Flaws in Cisco DNA Center Allow Unauthorized Access

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.