Cisco Warns of Critical Flaw in Voice OS-based Products

Cisco Systems issued a security advisory warning customers key products tied to its Cisco Voice Operating System software platform were vulnerable to an attack where an unauthenticated, remote hacker could gain unauthorized and elevated access to impacted devices.

The Cisco Security Bulletin is rated Critical and was issued Wednesday. It is tied to a vulnerability (CVE-2017-12337) in its Voice Operating System software which is used in flagship products such as its Cisco Unified Communications Manager, which brings together voice, video, telepresence, messaging and presence. Cisco Unified Communications Manager was previously known as CallManager.

Cisco lists 12 products affected by the bug including versions of its Cisco Prime License Manager, Cisco SocialMiner, Cisco Emergency Responder and Cisco MediaSense.

“The vulnerability occurs when a refresh upgrade or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password,” Cisco wrote in its bulletin.

Cisco said that attackers that manage to access the impacted devices over SSH File Transfer Protocol (SFTP) while still vulnerable, could gain root access to the device at that time. “This access could allow the attacker to compromise the affected system completely,” Cisco wrote.

SFTP enables secure file transfer capabilities between networked hosts and is sometimes referred to as Secure File Transfer Protocol.

“If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action,” according to Cisco.

Researchers also note “Engineering Special Releases that are installed as COP files, as opposed to the standard upgrade method, do not remediate this vulnerability.”

Cisco said a software update fixes the bug, and that no workaround to the vulnerability is available at this time.

The U.S. Department of Homeland Security also issued a warning via US-CERT of the vulnerability on Wednesday.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/by
You might also like
Serviceteam IT Security News Forever 21 Says PoS Systems Exposed Customer Data for 8 Months
Serviceteam IT Security News *Sorry, no chocolate
Serviceteam IT Security News Looking forward to the CyberUK Strategy day
Serviceteam IT Security News Electoral Commission apologises for security breach involving UK voters’ data
Serviceteam IT Security News Cyber Security meet Engineering, Engineering meet Cyber Security…
Serviceteam IT Security News Design Principles: Making compromise easy to detect