Cisco informed customers this week that it has patched one critical and five high severity vulnerabilities in Prime Collaboration Provisioning (PCP), a web-based provisioning solution that allows organizations to manage their communications services.
The critical flaw, CVE-2018-0321, allows a remote and unauthenticated attacker to access the Java Remote Method Invocation (RMI) system and perform actions that affect both the PCP and the devices connected to it.
The list of high severity vulnerabilities affecting PCP includes two issues that allow an unauthenticated attacker to reset the password on affected systems and gain admin-level privileges by sending a specially crafted password reset request.
Another high severity bug allows an unauthenticated attacker to execute arbitrary SQL queries. The remaining high severity vulnerabilities are access control issues that allow authenticated attackers to elevate their privileges.
Users can patch all the PCP vulnerabilities by updating to version 12.3, but fixes for some of these flaws are included in versions 12.1 and 12.2. The security holes have been identified by Cisco during internal security testing and there is no evidence of exploitation in the wild.
Cisco also fixed a critical vulnerability, tracked as CVE-2018-0315, it the authentication, authorization, and accounting (AAA) security services of Cisco IOS XE software. An attacker can exploit this flaw remotely to execute arbitrary code on a device or cause a denial-of-service (DoS) condition.
Other high severity problems patched this week include DoS vulnerabilities in IP Phone and Adaptive Security Appliance (ASA) products, a security bypass in Cisco Web Security Appliance (WSA), and a command execution vulnerability in Network Services Orchestrator (NSO).
Cisco’s advisories also describe an information disclosure bug in Meeting Server, and a DoS vulnerability impacting multiple products.
Patches are available for all these flaws and there is no evidence of malicious exploitation.
Related: Cisco Patches Critical Code Execution Flaw in Security Appliances
Related: Cisco Patches Critical Flaws in WebEx, UCS Director
Related: Critical Flaws in Cisco DNA Center Allow Unauthorized Access
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
Latest News
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
