CVE-2018-0141 has been identified as the latest vulnerability in Cisco’s Prime Collaboration Provisioning (PCP) software. Apparently, the software has a hardcoded password that could be leveraged by hackers aiming to obtain full control of the system. On top of this, hackers could even be able to elevate privileges to root, security researchers said.
CVE-2018-0141 Cisco Vulnerability Details
The flaw affects PCP version 11.6, and fortunately a patch is already available. Users are urged to upgrade immediately.
Here is the official description of the vulnerability:
A vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software 11.6 could allow an unauthenticated, local attacker to log in to the underlying Linux operating system. The vulnerability is due to a hard-coded account password on the system. An attacker could exploit this vulnerability by connecting to the affected system via Secure Shell (SSH) using the hard-coded credentials.
Furthermore, a successful exploit could allow the hacker to access the underlying operating system as a low-privileged user. After low-level privileges are obtained, the hacker could elevate to root privileges and take full control of the targeted system, researchers explained.
As already mentioned, the issue is fixed – more specifically in releases 12.1 and later. According to Cisco, the bug was detected during internal security testing. Nonetheless, it is the second critical bug discovered in Cisco’s software recently, along with a whole list of medium impact bugs that the company revealed in a security advisory.
Critical vulnerabilities in Cisco products were also disclosed throughout 2017, such as CVE-2017-3881 – the identifier of a critical vulnerability affecting more than 300 Cisco switches and one gateway. The exploitation of the flaw could lead to attackers obtaining control over the corresponding devices.
Cisco came across CVE-2017-3881 while going through WikiLeak’s Vault 7 data dump. The bug was present in the Cluster Management Protocol processing code in Cisco IOS and Cisco IOS XE Software.