Lucene search

K
myhack58佚名MYHACK58:62201889683
HistoryMar 09, 2018 - 12:00 a.m.

Cisco products in the presence of severe hard-coded password vulnerabilities and Java deserialization vulnerability-vulnerability warning-the black bar safety net

2018-03-0900:00:00
佚名
www.myhack58.com
14

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.017 Low

EPSS

Percentile

86.2%

Recently, Cisco released 22 security Bulletin, which includes two important fixes: fixes a hard-coded password Vulnerability CVE-2018-0141 and a Java deserialization Vulnerability, CVE-2018-0147 to.
! [](/Article/UploadPic/2018-3/20183919138250. png? www. myhack58. com)
Hard-coded password vulnerability
Hard-coded password vulnerability affecting Cisco Prime Collaboration Provisioning(PCP)the product, the product’s main role is to allow administrators to remotely install and maintain Cisco’s internal deployment of the communication devices integrated IP telephony, video, voice mail and subscriber’s related services. Cisco PCP is usually installed in the Linux server. Not authenticated local attacker can exploit this vulnerability, an infection in the same network of the other device, as an SSH connection to the affected system, the permissions elevated to root level, and then take over the entire system, The PCP of the Linux operating system. the
According to the CVSS vulnerability score(full marks 10 Score), the hard-coded password vulnerability is only 5.9, which is in medium-risk level. Cisco internal security testing process discovered this vulnerability, since there may not be valued in an unsafe environment, may result in an attacker obtaining root privileges, and therefore its judges of“serious high risk”it. Cisco said the vulnerability currently affects only the 2016 release of PCP 11.6 version, it is recommended users upgrade as soon as possible to the patched PCP 12.1 version, to avoid security issues.
! [](/Article/UploadPic/2018-3/20183919139464. png? www. myhack58. com)
Java deserialization vulnerability
Another comparison by the attention to the vulnerability is a Java deserialization vulnerability, an affected Cisco secure access control system ACS to. Due to the Affected Software attempts to deserialize user-provided content, a remote attacker can exploit this vulnerability without providing the correct credentials so it can send a well-designed serialized Java object, get root privileges and execute arbitrary commands.
According to the CVSS vulnerability score(full marks 10 Score, the vulnerability Score of 9.8 points, belongs to serious vulnerability, the impact of the 5.8 patch 9 version before all versions of Cisco secure ACS systems. However, running the 5.8 patch 7 version and the 5.8 patch 8 version of the system needs to provide credentials to use, and therefore the CVSS vulnerability Score of 8.8 in. Sien guest recommended to the user as soon as possible to upgrade to the latest version and reference the security Bulletin for security updates.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.017 Low

EPSS

Percentile

86.2%

Related for MYHACK58:62201889683