Security

Sigh. Cisco security kit has Java deserialisation bug and a default password SNAFU

Two critical vulnerabilities among 20 patches

By Richard Chirgwin

4 SHARE

Cisco's security developers have served up a parcel of patches.

First up, there's a gem in Switchzilla's Secure Access Control System. The ACS (which ceased sale in August 2017) is a hardware-based login gatekeeper, and it's got a remotely-pwnable Java deserialisation bug.

Cisco's notice for CVE-2018-0147 says an attacker could exploit the bug with a crafted Java object, and gain root privilege.

The bug affects all units running software up to version 5.8 patch 9, and fortunately while no longer sold, the Secure ACS is still in support, so Cisco has shipped patched software.

The other critical-rated bug is in the Cisco Prime Collaboration provisioning system: it has a hard-coded password in its SSH implementation, CVE-2018-0141.

The advisory says an attacker could use the SSH connection to get access to the underlying Linux operating system as a low-privilege user, and then elevate themselves to root to completely control the system.

The bug is only present in Cisco Prime Collaboration Provisioning Software Release 11.6, and there's a fix available.

Today's advisory list contains another 20 lower-rated bugs – enjoy. ®

Sign up to our NewsletterGet IT in your inbox daily

4 Comments

More from The Register

Cisco, Intel, Red Hat take aim at closed 5G radio systems

'Open vRAN' snugglefest includes India's Tech Mahindra and Reliance Jio

Party like it's 1999: Packets of death, code exec menace Cisco gear

Annoying flaws found, patched in Fabric Services, NX-OS, StarOS, VOIP kit

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Cisco stre...tches vulnerability disclosure timeline out to 90 days

Big vendors patch bugs nearly as quick as open source coders

Cisco NFV controller is a bit too elastic: It has an empty password bug

Critical patch lands for that, UCS Domain Manager flaw, dirty dozen lesser messes fixed

Another week, another Cisco-security-kit-needs-a-patch story

Probing last week's ASA and Firepower flaws found another DDOS to deter

Russia's national vulnerability database is a bit like the Soviet Union – sparse and slow

By design, though, not... er, general rubbishness

Telco IT admins on red alert as Cisco flings out patches for security holes in policy toolkit

Twenty-five bugs writhing on the netops floor this week

Intel, Microsoft, Adobe release a swarm of bug fixes to ruin your week

Massive patch dump with 112 fixes... and that's just for the Photoshop giant

Single single-sign-on SNAFU threatens three Cisco products

Firepower, AnyConnect and ASA appliances and clients need patches