Cisco patched authentication, privilege escalation, and denial-of-service vulnerabilities this week in several of its products, including one that’s used for identifying the location of 9-1-1 emergency callers.
The flaw in Cisco Emergency Responder is caused by the presence of default static credentials for the root account that were used during development but were never removed. Users cannot change or remove these credentials, presenting a permanent backdoor that would allow attackers to execute commands on the affected systems with the highest possible privileges.
Cisco Emergency Responder works together with Cisco Unified Communications Manager to enhance its 9-1-1 functionality by identifying the location of emergency callers so the calls can be routed to the appropriate public safety answering point. It also allows emergency responders to dynamically monitor caller or phone location changes.
The static root credentials are only present in the 12.5(1)SU41 version of the software and was fixed in 12.5(1)SU5. Release 14 of the firmware, as well as releases 11.5 and earlier are not impacted. The flaw, tracked as CVE-2023-20101, is rated as critical.
Cisco API endpoint vulnerability could lead to DoS attack
Another vulnerability that affects Cisco Emergency Responder, as well as several other Cisco Unified Communications products is in an API endpoint and can lead to a denial-of-service condition. The flaw can be exploited without authentication by sending specifically crafted requests to the vulnerable API endpoint in order to trigger high CPU utilization. This in turn could prevent access to the web-based management interface of the devices or lead to delays in call processing.
The vulnerability, tracked as CVE-2023-20259, is rated as high severity and affects Emergency Responder, Prime Collaboration Deployment, Unified Communications Manager (Unified CM), Unified Communications Manager IM & Presence Service (Unified CM IM&P), Unified Communications Manager Session Management Edition (Unified CM SME) and Unity Connection. Cisco has released firmware updates for all impacted systems.
Cisco Network Services Orchestrator flaw could allow privilege escalation
A third flaw, CVE-2021-1572, was patched in Cisco Network Services Orchestrator and can lead to privilege escalation if an attacker has access to a low-privileged account on the system and the system has the Secure Shell (SSH) server for the command-line interface (CLI) enabled. The issue is caused by the fact that the SFTP user service runs with the same privileges as the account that was used to enable the built-in SSH server and that account is root by default.
“Any user who can authenticate to the built-in SSH server may exploit this vulnerability,” Cisco warns in its advisory. “By default, all Cisco NSO users have this access if the server is enabled.”
The good news is that the built-in SSH server is disabled by default in an NSO system installation. The bad news is that most supported versions of NSO are impacted when SSH is enabled.
The same vulnerability, which was originally announced in August, impacts ConfD, a framework for on-device management. Cisco has now updated its advisories for both NSO and ConfD with more information about impacted releases and availability of fixed versions.