Cisco Systems issued a security advisory warning customers key products tied to its Cisco Voice Operating System software platform were vulnerable to an attack where an unauthenticated, remote hacker could gain unauthorized and elevated access to impacted devices.
The Cisco Security Bulletin is rated Critical and was issued Wednesday. It is tied to a vulnerability (CVE-2017-12337) in its Voice Operating System software which is used in flagship products such as its Cisco Unified Communications Manager, which brings together voice, video, telepresence, messaging and presence. Cisco Unified Communications Manager was previously known as CallManager.
Cisco lists 12 products affected by the bug including versions of its Cisco Prime License Manager, Cisco SocialMiner, Cisco Emergency Responder and Cisco MediaSense.
“The vulnerability occurs when a refresh upgrade or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password,” Cisco wrote in its bulletin.
Cisco said that attackers that manage to access the impacted devices over SSH File Transfer Protocol (SFTP) while still vulnerable, could gain root access to the device at that time. “This access could allow the attacker to compromise the affected system completely,” Cisco wrote.
SFTP enables secure file transfer capabilities between networked hosts and is sometimes referred to as Secure File Transfer Protocol.
“If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action,” according to Cisco.
Researchers also note “Engineering Special Releases that are installed as COP files, as opposed to the standard upgrade method, do not remediate this vulnerability.”
Cisco said a software update fixes the bug, and that no workaround to the vulnerability is available at this time.
The U.S. Department of Homeland Security also issued a warning via US-CERT of the vulnerability on Wednesday.