Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-12337

A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device. The vulnerability occurs when a refresh upgrade (RU) or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password. If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action. Note: Engineering Special Releases that are installed as COP files, as opposed to the standard upgrade method, do not remediate this vulnerability. An attacker who can access an affected device over SFTP while it is in a vulnerable state could gain root access to the device. This access could allow the attacker to compromise the affected system completely. Cisco Bug IDs: CSCvg22923, CSCvg55112, CSCvg55128, CSCvg55145, CSCvg58619, CSCvg64453, CSCvg64456, CSCvg64464, CSCvg64475, CSCvg68797.

Published

2017-11-16T07:29:01.023

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

10.0

Impact Score

10.0

Weaknesses

Type: Secondary
CWE-287
Type: Primary
CWE-287

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	cisco	emergency_responder	-	Yes
Application	cisco	finesse	-	Yes
Application	cisco	hosted_collaboration_solution	-	Yes
Application	cisco	mediasense	-	Yes
Application	cisco	prime_license_manager	-	Yes
Application	cisco	socialminer	-	Yes
Application	cisco	unified_communications_manager	-	Yes
Application	cisco	unified_communications_manager	-	Yes
Application	cisco	unified_communications_manager_im_and_presence_service	-	Yes
Application	cisco	unified_contact_center_express	-	Yes
Application	cisco	unity_connection	-	Yes
Operating System	cisco	unified_intelligence_center	-	Yes

References

http://www.securityfocus.com/bid/101865 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1039813 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1039814 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1039815 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1039816 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1039817 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1039818 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1039819 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1039820 Third Party Advisory, VDB Entry ([email protected])
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-vos Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/101865 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1039813 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1039814 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1039815 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1039816 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1039817 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1039818 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1039819 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1039820 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-vos Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)