SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Cisco MediaSense Vendors:   Cisco
Cisco MediaSense Upgrade Error Lets Remote Users Gain Root Access on the Target System
SecurityTracker Alert ID:  1039819
SecurityTracker URL:  http://securitytracker.com/id/1039819
CVE Reference:   CVE-2017-12337   (Links to External Site)
Date:  Nov 16 2017
Impact:   Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Cisco MediaSense. A remote user can gain access to the target system.

When a refresh upgrade is performed on a Cisco Voice Operating System (VOS) software platform device, an engineering flag remains enabled. As a result, a remote user can connect to the target device via SFTP and gain root privileges on the target device.

The vendor has assigned bug ID CSCvg64456 to this vulnerability.

Quentin Rhoads-Herrera and Rich Mirch of the State Farm Penetration Testing Team reported this vulnerability.

Impact:   A remote user can gain root access on the target system.
Solution:   The vendor has issued a fix.

The vendor notes that when the system upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release, the vulnerability is corrected.

The vendor also notes that Engineering Special Releases that are installed as COP files do not correct the vulnerability.

The vendor advisory is available at:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-vos

Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-vos (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-vos

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC