Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system.
The hardcoded password issue affects Cisco's Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers.
Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password.
The flaw can be exploited only by local attackers, and it also grants access to a low-privileged user account. In spite of this, Cisco has classified the issue as "critical."
The reasons are that an attacker can infect another device on the same network and use it as a proxy for his SSH connection to the vulnerable Cisco PCP instance, allowing for remote, over-the-Internet exploitation.
Furthermore, there is a large number of elevation-of-privilege exploits affecting the Linux operating system that an attacker can use and gain root access. Hence, Cisco's decision to classify this flaw as "critical" even with a CVSS score of 5.9 out of a maximum of 10.
Cisco says there are no temporary mitigations and workarounds that network admins can deploy to prevent exploitation of older PCP software, and the company has released patches that PCP owners need to install as soon as possible.
The second critical-level vulnerability that Cisco fixed in yesterday's 22-advisory patch bonanza is a Java deserialization issue affecting Cisco's Secure Access Control System (ACS), a now-deprecated firewall system.
This is a typical Java deserialization issue. When Cisco ACS tries to deserialize user-supplied (Java serialized) content, an attacker could execute code on the device without needing to provide proper credentials. The malicious code runs as root.