Cisco patched multiple vulnerabilities in its Prime Collaboration Provisioning (PCP), a web-based provisioning solution that allows organizations to manage their communications services.
The holes include one critical and five high severity vulnerabilities.
CVE-2018-0321, which rated critical, allows a remote and unauthenticated attacker to access the Java Remote Method Invocation (RMI) system and perform actions that affect the PCP and the devices connected to it.
High severity vulnerabilities include two that allow an unauthenticated attacker to reset the password on affected systems and gain admin-level privileges by sending a specially crafted password reset request.
Another high severity bug allows an unauthenticated attacker to execute arbitrary SQL queries. The remaining high severity vulnerabilities are access control issues that allow authenticated attackers to elevate their privileges.
Cisco released a new version, 12.3, to patch all the PCP vulnerabilities. The issues ended up discovered by Cisco itself during internal security testing.
Cisco said they have need found any evidence of attacks leveraging the vulnerabilities.
In addition, Cisco also fixed a critical vulnerability, CVE-2018-0315, in the authentication, authorization, and accounting (AAA) security services of Cisco IOS XE software.
An attacker could leverage the vulnerability to execute arbitrary code on a device or cause a denial-of-service (DoS) condition.