Security

Sigh. Cisco security kit has Java deserialisation bug and a default password SNAFU

Two critical vulnerabilities among 20 patches

By Richard Chirgwin

4 SHARE

Cisco's security developers have served up a parcel of patches.

First up, there's a gem in Switchzilla's Secure Access Control System. The ACS (which ceased sale in August 2017) is a hardware-based login gatekeeper, and it's got a remotely-pwnable Java deserialisation bug.

Cisco's notice for CVE-2018-0147 says an attacker could exploit the bug with a crafted Java object, and gain root privilege.

The bug affects all units running software up to version 5.8 patch 9, and fortunately while no longer sold, the Secure ACS is still in support, so Cisco has shipped patched software.

The other critical-rated bug is in the Cisco Prime Collaboration provisioning system: it has a hard-coded password in its SSH implementation, CVE-2018-0141.

The advisory says an attacker could use the SSH connection to get access to the underlying Linux operating system as a low-privilege user, and then elevate themselves to root to completely control the system.

The bug is only present in Cisco Prime Collaboration Provisioning Software Release 11.6, and there's a fix available.

Today's advisory list contains another 20 lower-rated bugs – enjoy. ®

Sign up to our NewsletterGet IT in your inbox daily

4 Comments

More from The Register

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login

Windows 10 or Cisco Advanced Malware Protection: Pick one

Redmond warns that the malware tool doesn't play nice with the latest upgrade

We're two weeks into 2019, and an email can potentially knacker your Cisco message box – plus other bugs to fix

Process data, crash, restart, process data, crash, restart...

If at first you don't succeed, you may well be Cisco: WebEx patch needs its own patch

Updated Switchzilla has a second go at fixing videoconferencing app's 'I'm the captain, now' hole

From 'WebEx' to 'WebExec' to 'WTF, my PC!' Cisco rapped in chat app security flap

Patch your vid conferencing software to stop malware, users nabbing admin rights

Cisco, Intel, Red Hat take aim at closed 5G radio systems

'Open vRAN' snugglefest includes India's Tech Mahindra and Reliance Jio

Cisco patches yet another Data Centre Network Manager vuln

Good news is that it was just a proof of concept... we hope

M-M-M-MONSTER KILL: Cisco's bug-wranglers swat 29 in single week

Replace those end-of-life VPN devices, they won't be patched

Cisco firewalls under attack – and there's no patch: Too many SIPs and they drown in data

Denial-of-service flaw exploited by miscreants in the wild, networking kit giant warns

The weekend starts here... right after you've installed these critical Cisco bug patches

Coding screwups for Prime Infrastructure and DNA Center admins to slurp up