Hard-Coded Password in Cisco Software Lets Attackers Take Over Linux Servers

A medium yet critical vulnerability has been discovered in Cisco Prime Collaboration Provisioning software that could allow a local attacker to elevate privileges to root and take full control of a system.

Cisco Prime Collaboration Provisioning (PCP) application allows administrators to remotely control the installation and management of Cisco communication devices (integrated IP telephony, video, voicemail) deployed in the company and services for its subscribers.

The vulnerability (CVE-2018-0141) is due to a hard-coded password for Secure Shell (SSH), which could be exploited by a local attacker to connect to the PCP’s Linux operating system and gain low-level privileges.

Cisco PCP Hard-Coded Password Flaw

According to an advisory released by Cisco, with low-level privileges, an attacker could then elevate its privileges to root and take full control of the affected devices.

Although this vulnerability has been given a Common Vulnerability Scoring System (CVSS) base score of 5.9 out of 10, Cisco has rated this bug as critical, as there are “extenuating circumstances” that could allow attackers to elevate their privileges to root.

The company itself detected this bug during “internal security testing,” and said that it only affects PCP version 11.6, released in November 2016.

Along with other security patches for its other products, Cisco has patched this vulnerability with the release of Cisco PCP software version 12.1.

Cisco Secure ACS Remote Code Execution Flaw

Besides Cisco PCP flaw, the company has also patched a critical Java deserialization vulnerability affecting its Secure Access Control System (ACS), a product that offers authentication, accounting, and authorization services to network devices.

Cisco Secure ACS flaw (CVE-2018-0147) could allow an unauthenticated attacker to remotely execute malicious code on vulnerable devices with root privileges without requiring any credential, the company said in its advisory.

This vulnerability has been given a Common Vulnerability Scoring System (CVSS) base score of 9.8 out of 10, rated as critical, as it allows attackers to execute arbitrary commands on the affected device with “root” privileges.

This flaw affects all versions of Cisco Secure ACS before release 5.8 patch 9. However, systems running Cisco Secure ACS version 5.8 Patch 7 or Patch 8 require authentication in order to exploit this vulnerability, which has been given a CVSS base score of 8.8.

This vulnerability has been fixed in Cisco Secure ACS 5.8.0.32.9 Cumulative Patch.

The company is strongly encouraging users to update their software to the latest versions as soon as possible, as there are no workarounds to patch these vulnerabilities.