Security

Sigh. Cisco security kit has Java deserialisation bug and a default password SNAFU

Two critical vulnerabilities among 20 patches

By Richard Chirgwin

4 SHARE

Cisco's security developers have served up a parcel of patches.

First up, there's a gem in Switchzilla's Secure Access Control System. The ACS (which ceased sale in August 2017) is a hardware-based login gatekeeper, and it's got a remotely-pwnable Java deserialisation bug.

Cisco's notice for CVE-2018-0147 says an attacker could exploit the bug with a crafted Java object, and gain root privilege.

The bug affects all units running software up to version 5.8 patch 9, and fortunately while no longer sold, the Secure ACS is still in support, so Cisco has shipped patched software.

The other critical-rated bug is in the Cisco Prime Collaboration provisioning system: it has a hard-coded password in its SSH implementation, CVE-2018-0141.

The advisory says an attacker could use the SSH connection to get access to the underlying Linux operating system as a low-privilege user, and then elevate themselves to root to completely control the system.

The bug is only present in Cisco Prime Collaboration Provisioning Software Release 11.6, and there's a fix available.

Today's advisory list contains another 20 lower-rated bugs – enjoy. ®

Sign up to our NewsletterGet IT in your inbox daily

4 Comments

More from The Register

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login

Cisco patches yet another Data Centre Network Manager vuln

Good news is that it was just a proof of concept... we hope

Cisco, Intel, Red Hat take aim at closed 5G radio systems

'Open vRAN' snugglefest includes India's Tech Mahindra and Reliance Jio

M-M-M-MONSTER KILL: Cisco's bug-wranglers swat 29 in single week

Replace those end-of-life VPN devices, they won't be patched

The weekend starts here... right after you've installed these critical Cisco bug patches

Coding screwups for Prime Infrastructure and DNA Center admins to slurp up

Cisco coughs up baker's dozen of vulns and other security nasties

Get patching – except for the ones where you, er, can't

Party like it's 1999: Packets of death, code exec menace Cisco gear

Annoying flaws found, patched in Fabric Services, NX-OS, StarOS, VOIP kit

Cisco stre...tches vulnerability disclosure timeline out to 90 days

Big vendors patch bugs nearly as quick as open source coders

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Cisco NFV controller is a bit too elastic: It has an empty password bug

Critical patch lands for that, UCS Domain Manager flaw, dirty dozen lesser messes fixed