Cisco plugs holes in Voice Portal, SSH implementation

Summary:It's Patch Day in the land of Cisco.The network routing and switching giant today released three security bulletins with patches for multiple vulnerabilities affecting the Cisco Voice Portal and the Secure Shell server (SSH) implementation in Cisco IOS.

Cisco plugs holes in SSH implementation, Voice Portal
It's Patch Day in the land of Cisco.

The network routing and switching giant today released three security bulletins with patches for multiple vulnerabilities affecting the Cisco Voice Portal and the Secure Shell server (SSH) implementation in Cisco IOS.

The most serious of the vulnerabilities carries a CVSS Base Score of 9.0 and can lead to privilege escalation attacks against businesses using the Cisco Unified Customer Voice Portal (CVP).

In this advisory, Cisco warns that the vulnerability could be exploited to allow a user with an administrator role to create, modify, or delete a superuser account, which has greater system privileges.

Successful exploitation of the vulnerability may result in full control of the system.

Vulnerable products include:

CVP software versions prior to 4.0(2)_ES14 for the 4.0.x release, 4.1(1)_ES11 for the 4.1.x release, and 7.0(1) for the 7.x release.

Cisco also shipped patches for multiple vulnerabilities in the IOS SSH, warning that the flaws could give unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device.  This issue carries a CVSS Base Score of 7.8.

A third bulletin warns of three SSH vulnerabilities in the Cisco Service Control Engine (SCE) that may result in system instability or a reload of the SCE.

The first vulnerability may be triggered during SSH login activity that is conducted within aggressive time frames. The second vulnerability may be triggered with normal SSH login activity in combination with other SCE management actions occurring simultaneously. The third vulnerability may be triggered during SSH login and is specific to the usage of unique invalid authentication credentials.

The Cisco Service Control Engine (SCE) issues carry a CVSS Base Score of 7.8.

Patch download and deployment information can be found in the individual bulletins.

* Image source: roney's Flickr photostream (Creative Commons 2.0)

Topics: Cisco, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.