9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.017 Low
EPSS
Percentile
86.2%
Recently, Cisco released 22 security Bulletin, which includes two important fixes: fixes a hard-coded password Vulnerability CVE-2018-0141 and a Java deserialization Vulnerability, CVE-2018-0147 to.
! [](/Article/UploadPic/2018-3/20183919138250. png? www. myhack58. com)
Hard-coded password vulnerability
Hard-coded password vulnerability affecting Cisco Prime Collaboration Provisioning(PCP)the product, the product’s main role is to allow administrators to remotely install and maintain Cisco’s internal deployment of the communication devices integrated IP telephony, video, voice mail and subscriber’s related services. Cisco PCP is usually installed in the Linux server. Not authenticated local attacker can exploit this vulnerability, an infection in the same network of the other device, as an SSH connection to the affected system, the permissions elevated to root level, and then take over the entire system, The PCP of the Linux operating system. the
According to the CVSS vulnerability score(full marks 10 Score), the hard-coded password vulnerability is only 5.9, which is in medium-risk level. Cisco internal security testing process discovered this vulnerability, since there may not be valued in an unsafe environment, may result in an attacker obtaining root privileges, and therefore its judges of“serious high risk”it. Cisco said the vulnerability currently affects only the 2016 release of PCP 11.6 version, it is recommended users upgrade as soon as possible to the patched PCP 12.1 version, to avoid security issues.
! [](/Article/UploadPic/2018-3/20183919139464. png? www. myhack58. com)
Java deserialization vulnerability
Another comparison by the attention to the vulnerability is a Java deserialization vulnerability, an affected Cisco secure access control system ACS to. Due to the Affected Software attempts to deserialize user-provided content, a remote attacker can exploit this vulnerability without providing the correct credentials so it can send a well-designed serialized Java object, get root privileges and execute arbitrary commands.
According to the CVSS vulnerability score(full marks 10 Score, the vulnerability Score of 9.8 points, belongs to serious vulnerability, the impact of the 5.8 patch 9 version before all versions of Cisco secure ACS systems. However, running the 5.8 patch 7 version and the 5.8 patch 8 version of the system needs to provide credentials to use, and therefore the CVSS vulnerability Score of 8.8 in. Sien guest recommended to the user as soon as possible to upgrade to the latest version and reference the security Bulletin for security updates.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.017 Low
EPSS
Percentile
86.2%