critical
10
CWE
287
Advisory Published
Updated

CVE-2017-12337

First published: Thu Nov 16 2017(Updated: )

A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device. The vulnerability occurs when a refresh upgrade (RU) or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password. If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action. Note: Engineering Special Releases that are installed as COP files, as opposed to the standard upgrade method, do not remediate this vulnerability. An attacker who can access an affected device over SFTP while it is in a vulnerable state could gain root access to the device. This access could allow the attacker to compromise the affected system completely. Cisco Bug IDs: CSCvg22923, CSCvg55112, CSCvg55128, CSCvg55145, CSCvg58619, CSCvg64453, CSCvg64456, CSCvg64464, CSCvg64475, CSCvg68797.

Credit: ykramarz@cisco.com

Affected SoftwareAffected VersionHow to fix
Cisco Emergency Responder
Cisco Finesse
Cisco Hosted Collaboration Solution
Cisco MediaSense
Cisco Prime License Manager
Cisco SocialMiner
Cisco Unified Communications Manager
Cisco Unified Communications Manager
Cisco Unified Communications Manager IM and Presence Service
Cisco Unified Contact Center Express
Cisco Unity Connection
Cisco Unified Intelligence Center

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the vulnerability ID for this issue?

    The vulnerability ID for this issue is CVE-2017-12337.

  • What is the severity level of CVE-2017-12337?

    The severity level of CVE-2017-12337 is critical, with a severity value of 9.8.

  • Which Cisco collaboration products are affected by CVE-2017-12337?

    The Cisco collaboration products affected by CVE-2017-12337 include Cisco Emergency Responder, Cisco Finesse, Cisco Hosted Collaboration Solution, Cisco MediaSense, Cisco Prime License Manager, Cisco SocialMiner, Cisco Unified Communications Manager, Cisco Unified Communications Manager IM and Presence Service, Cisco Unified Contact Center Express, Cisco Unity Connection, and Cisco Unified Intelligence Center.

  • How does CVE-2017-12337 allow unauthorized access to affected devices?

    CVE-2017-12337 allows an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device through the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform.

  • Are there any references available for CVE-2017-12337?

    Yes, you can find references for CVE-2017-12337 at the following links: http://www.securityfocus.com/bid/101865 and http://www.securitytracker.com/id/1039813.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203