Sigh. Cisco security kit has Java deserialisation bug and a default password SNAFU

Two critical vulnerabilities among 20 patches

By Richard Chirgwin

Posted in Security, 8th March 2018 06:29 GMT

Cisco's security developers have served up a parcel of patches.

First up, there's a gem in Switchzilla's Secure Access Control System. The ACS (which ceased sale in August 2017) is a hardware-based login gatekeeper, and it's got a remotely-pwnable Java deserialisation bug.

Cisco's notice for CVE-2018-0147 says an attacker could exploit the bug with a crafted Java object, and gain root privilege.

The bug affects all units running software up to version 5.8 patch 9, and fortunately while no longer sold, the Secure ACS is still in support, so Cisco has shipped patched software.

The other critical-rated bug is in the Cisco Prime Collaboration provisioning system: it has a hard-coded password in its SSH implementation, CVE-2018-0141.

The advisory says an attacker could use the SSH connection to get access to the underlying Linux operating system as a low-privilege user, and then elevate themselves to root to completely control the system.

The bug is only present in Cisco Prime Collaboration Provisioning Software Release 11.6, and there's a fix available.

Today's advisory list contains another 20 lower-rated bugs – enjoy. ®

Sign up to our NewsletterGet IT in your inbox daily

4 Comments

More from The Register

Cisco, Intel, Red Hat take aim at closed 5G radio systems

'Open vRAN' snugglefest includes India's Tech Mahindra and Reliance Jio

Cisco stre...tches vulnerability disclosure timeline out to 90 days

Big vendors patch bugs nearly as quick as open source coders

Cisco NFV controller is a bit too elastic: It has an empty password bug

Critical patch lands for that, UCS Domain Manager flaw, dirty dozen lesser messes fixed

Another week, another Cisco-security-kit-needs-a-patch story

Probing last week's ASA and Firepower flaws found another DDOS to deter

Microsoft works weekends to kill Intel's shoddy Spectre patch

Out-of-band patch may assuage user anger over Intel crudware, closed-club disclosure process

Ugly, perfect ten-rated bug hits Cisco VPNs

Patch your Adaptive Security Appliance and Firepower Threat Defense code before they're utterly p0wned

Cisco to release patches for Meltdown, Spectre CPU vulns, just in case

Switchzilla is investigating a whole bunch of products

Fella faked Cisco, Microsoft gear death – then sold replacement kit for millions, say Feds

'Phony photos', legit serial numbers land chap in court

Egg on Cisco's face: Three critical software bugs to fix over Easter

Pick your poison in IOS and IOS XE: denial-of-service or remote code execution?

SHL just got real-mode: US lawmakers demand answers on Meltdown, Spectre handling from Intel, Microsoft and pals

Pact of silence questioned