A medium yet critical vulnerability has been discovered in Cisco Prime Collaboration Provisioning software that could allow a local attacker to elevate privileges to root and take full control of a system.
Cisco Prime Collaboration Provisioning (PCP) application allows administrators to remotely control the installation and management of Cisco communication devices (integrated IP telephony, video, voicemail) deployed in the company and services for its subscribers.
The vulnerability (CVE-2018-0141) is due to a hard-coded password for Secure Shell (SSH), which could be exploited by a local attacker to connect to the PCP's Linux operating system and gain low-level privileges.
Cisco PCP Hard-Coded Password Flaw
According to an
advisory released by Cisco, with low-level privileges, an attacker could then elevate its privileges to root and take full control of the affected devices.
Although this vulnerability has been given a Common Vulnerability Scoring System (CVSS) base score of 5.9 out of 10, Cisco has rated this bug as critical, as there are "extenuating circumstances" that could allow attackers to elevate their privileges to root.
....
....
....
