Cisco released security patches to address severe vulnerabilities in Prime Collaboration Provisioning (PCP) solution, one of the issues was rated as critical.
The vulnerabilities have been found by Cisco during internal security testing and there is no evidence of attacks exploiting the flaws in the wild.
The Prime Collaboration Provisioning is a web-based provisioning product that allows its customers to manage their communications services.
The critical vulnerability, tracked as CVE-2018-0321, could be exploited by a remote and unauthenticated attacker to access the Java Remote Method Invocation (RMI) system and perform malicious actions that affect both the PCP and the devices connected to the solution.
“A vulnerability in Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated, remote attacker to access the Java Remote Method Invocation (RMI) system.” reads the security advisory published by Cisco.
“The vulnerability is due to an open port in the Network Interface and Configuration Engine (NICE) service. An attacker could exploit this vulnerability by accessing the open RMI system on an affected PCP instance. An exploit could allow the attacker to perform malicious actions that affect PCP and the devices that are connected to it.”
Cisco confirmed that there are no workarounds that address this vulnerability.
Cisco also reported five high severity vulnerabilities in the Prime Collaboration Provisioning solution, two of which could be exploited by an unauthenticated attacker to reset the password on vulnerable products and gain admin-level privileges by sending a specially crafted password reset request.
Another high severity vulnerability could be exploited by an unauthenticated attacker to execute arbitrary SQL queries. Cisco also fixed high severity access control vulnerabilities that could lead privileges escalation.
Customers need to update their Prime Collaboration Provisioning products by updating them to version 12.3.
The flaws have been identified by experts from Cisco during internal security testing.
Cisco also fixed an information disclosure bug in Meeting Server, and a DoS vulnerability that affects several products of the IT giant.
(Security Affairs – Cisco, Prime Collaboration Provisioning)