Sigh. Cisco security kit has Java deserialisation bug and a default password SNAFU

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Two critical vulnerabilities among 20 patches

Cisco's security developers have served up a parcel of patches.

First up, there's a gem in Switchzilla's Secure Access Control System. The ACS (which ceased sale in August 2017) is a hardware-based login gatekeeper, and it's got a remotely-pwnable Java deserialisation bug.

Cisco's notice for CVE-2018-0147 says an attacker could exploit the bug with a crafted Java object, and gain root privilege.

The bug affects all units running software up to version 5.8 patch 9, and fortunately while no longer sold, the Secure ACS is still in support, so Cisco has shipped patched software.

The other critical-rated bug is in the Cisco Prime Collaboration provisioning system: it has a hard-coded password in its SSH implementation, CVE-2018-0141.

The advisory says an attacker could use the SSH connection to get access to the underlying Linux operating system as a low-privilege user, and then elevate themselves to root to completely control the system.

The bug is only present in Cisco Prime Collaboration Provisioning Software Release 11.6, and there's a fix available.

Today's advisory list contains another 20 lower-rated bugs – enjoy.


 
  • Like
Reactions: harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top