Credentials Hard-Coded in Cisco Emergency Location TrackerEmergency Responder Among Several Recent Cisco Product Vulnerability Advisories
Cisco has released urgent fixes to a critical vulnerability affecting an emergency communication system used to track callers' location in real time. A developer inadvertently hard-coded credentials in Cisco Emergency Responder tracking and routing software, opening up a permanent backdoor for potential unauthenticated attackers.
At some point in the development cycle, static user credentials for the root account were added to the code but never removed. The credentials cannot be changed or deleted, giving attackers continuous access to the system.
The vulnerability, tracked as CVE-2023-20101, is rated as critical with a CVSS score of 9.8.
"An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user," according to a Cisco advisory.
The software updates address the vulnerability in Cisco Emergency Responder Release 12.5(1)SU4. The vulnerability has no workarounds.
The flaw was uncovered during internal security testing. The Cisco Product Security Incident Response Team said that it is unaware of any public announcements or malicious use of the vulnerability.
Other Recent Vulnerabilities
Emergency Responder was one of several Cisco software products affected by vulnerabilities. Last week, Cisco advised customers running its tunnel-less VPN for wide area networks to patch after revealing that attackers attempted to take advantage of a zero-day flaw.
The San Jose, Calif.-based tech giant said the flaw in its Group Encrypted Transport VPN, tracked as CVE-2023-20109, allows attackers to execute arbitrary code if they already have access to a GET VPN group member router or to the key server. Exploiting the flaw would require an attacker to already have administrative control of a group member or the key server.
Denial of Service Vulnerability
Cisco also addressed another vulnerability in an API endpoint of multiple Cisco Unified Communications Products that could allow a remote attacker to cause high CPU utilization impacting access to the web-based management interface, ultimately causing delays with call processing.
The flaw, tracked as CVE-2023-20259 and rated as high severity with a CVSS score of 8.6, affects Emergency Responder, Prime Collaboration Deployment, Unified Communications Manager, Unified Communications Manager IM and Presence Service, Unified Communications Manager Session Management Edition and Unity Connection.
"This vulnerability is due to improper API authentication and incomplete validation of the API request. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to cause a denial of service condition," the advisory said.
This flaw has no workarounds and was uncovered during the internal security testing. The Cisco Product Security Incident Response Team said it is not aware of any public announcements or malicious use of the vulnerability.