Cisco patched authentication, privilege escalation, and denial-of-service vulnerabilities this week in a number of of its merchandise, together with one which’s used for figuring out the situation of 9-1-1 emergency callers.
The flaw in Cisco Emergency Responder is attributable to the presence of default static credentials for the foundation account that had been used throughout growth however had been by no means eliminated. Customers can not change or take away these credentials, presenting a everlasting backdoor that may enable attackers to execute instructions on the affected programs with the best potential privileges.
Cisco Emergency Responder works along with Cisco Unified Communications Supervisor to boost its 9-1-1 performance by figuring out the situation of emergency callers so the calls might be routed to the suitable public security answering level. It additionally permits emergency responders to dynamically monitor caller or telephone location modifications.
The static root credentials are solely current within the 12.5(1)SU41 model of the software program and was mounted in 12.5(1)SU5. Launch 14 of the firmware, in addition to releases 11.5 and earlier should not impacted. The flaw, tracked as CVE-2023-20101, is rated as crucial.
Cisco API endpoint vulnerability might result in DoS assault
One other vulnerability that impacts Cisco Emergency Responder, in addition to a number of different Cisco Unified Communications merchandise is in an API endpoint and might result in a denial-of-service situation. The flaw might be exploited with out authentication by sending particularly crafted requests to the susceptible API endpoint with a view to set off excessive CPU utilization. This in flip might forestall entry to the web-based administration interface of the units or result in delays in name processing.
The vulnerability, tracked as CVE-2023-20259, is rated as excessive severity and impacts Emergency Responder, Prime Collaboration Deployment, Unified Communications Supervisor (Unified CM), Unified Communications Supervisor IM & Presence Service (Unified CM IM&P), Unified Communications Supervisor Session Administration Version (Unified CM SME) and Unity Connection. Cisco has launched firmware updates for all impacted programs.