Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw

Cisco patches two serious authentication bugs and a Java deserialization flaw.
Written by Liam Tung, Contributing Writer

Video: Microsoft's reverse engineering unveils secrets of FinFisher government spyware

Cisco has released an update for a critical flaw affecting its Secure Access Control System (ACS) and Cisco Prime Collaboration Provisioning (PCP) software.

PCP, which is used for installing Cisco collaboration and TelePresence components, has a hard-coded password bug that could allow a local attacker to gain root privileges and take control of a PCP device.

Using the hardcoded password an attacker could log in to the PCP's Linux operating system via SSH as a low-privileged user, and from there, elevate to root.

That's why Cisco is rating the bug as critical even though it only has a Common Vulnerability Scoring System (CVSS) base score of 5.9 out of 10.

Cisco says in its advisory that only PCP release 11.6, released in November 2016, is affected. Admins can check the release number by logging into the PCP interface, clicking Settings and then About.

The second critical flaw affects Cisco's Secure Access Control System (ACS) and could allow a remote, unauthenticated attacker to execute arbitrary comments on the device with root privileges.

Download today: IT leader's guide to cyberattack recovery

"The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object," Cisco said.

All versions before Cisco Secure ACS 5.8 patch 9 are affected by the flaw. Admins can use the ACS command-line interface to find out which ACS version the device is running or use the ACS web interface and click the About link.

However, Cisco notes that exploiting the bug on Secure ACS systems running release 5.8 Patch 7 or Patch 8 requires authentication.

The DHS's US-CERT also recommends admins review a high-severity issue affecting the FTP server of the Cisco Web Security Appliance (WSA). An unauthenticated attacker could log in to an affected device without a valid username or password, according to Cisco.

In total, Cisco released fixes for 22 vulnerabilities yesterday, the remainder being medium severity issues.

Previous and related coverage

Cisco: This VPN bug has a 10 out of 10 severity rating, so patch it now

The researcher who found the flaw will be telling the world how to exploit it this weekend.

Cisco: You need to patch our security devices again for dangerous ASA VPN bug

Cisco has warned that its original fix for the 10/10-severity ASA VPN flaw was "incomplete".

Cisco 'waited 80 days' before revealing it had been patching its critical VPN flaw

Updated: Cisco should do more to help companies secure their network gear, says one customer.

Cisco automation tools make it easier for network admins to improve performance, security (Tech Republic)

The new Cisco Crosswork Network Automation portfolio is a comprehensive closed-loop multi-vendor, multi-domain automation solution.

Editorial standards