Cisco disclosed today a zero-day vulnerability in the company's Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks.
This server management utility enables admins to perform migration or upgrade tasks on servers in their organization's inventory.
Tracked as CVE-2023-20060, the bug was found in the web-based management interface of Cisco PCD 14 and earlier by Pierre Vivegnis of the NATO Cyber Security Centre (NCSC).
Successful exploitation enables unauthenticated attackers to launch cross-site scripting attacks remotely but requires user interaction.
"This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link," Cisco explains.
"A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information."
While Cisco shared info on the flaw's impact, the company will release security updates to address it sometime next month. For now, no workarounds are available to remove the attack vector.
Luckily, the Cisco Product Security Incident Response Team (PSIRT) has yet to find any evidence of malicious use in the wild and is unaware of public exploit code targeting the bug.
| Cisco Prime Collaboration Deployment Release | First Fixed Release |
|---|---|
| 14 and earlier | 14SU3 (May 2023) |
December zero-day patched in January
Cisco has also patched another high-severity IP Phone zero-day (CVE-2022-20968) with publicly available exploit code, disclosed in early December 2023.
The company promised security updates would be released in January 2023, and it patched the vulnerability with a new firmware release issued on January 18. However, the advisory is yet to be updated and the firmware update can only be downloaded if you have a Cisco account.
Cisco's PSIRT warned at the time that it's "aware that proof-of-concept exploit code is available" and that the "vulnerability has been publicly discussed."
Devices impacted by CVE-2022-20968 include Cisco IP phones running 7800 and 8800 Series firmware version 14.2 and earlier.
Even though Cisco didn't provide a workaround for this IP Phone zero-day, it advised admins to apply temporary mitigation measures, which requires disabling the Cisco Discovery Protocol on affected devices supporting Link Layer Discovery Protocol (LLDP) as a fallback option.
"This is not a trivial change and will require diligence on behalf of the enterprise to evaluate any potential impact to devices as well as the best approach to deploy this change in their enterprise," the company warned at the time.
Update April 27, 14:45 EDT: Revised story to say the IP Phone zero-day was patched in January (the advisory is yet to be updated with this information).
Comments
Moo_Cows - 1 year ago
Unless I'm misunderstanding the vulnerability, Cisco patched the 7800/8800 bug back in January with the release of firmware version 14.2.1.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipp-oobwrite-8cMF5r7U
serghei - 1 year ago
That's when they said they'd release the fix, but the advisory is yet to be updated.
You can find the original version of the advisory at https://web.archive.org/web/20221220191147/https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipp-oobwrite-8cMF5r7U.
For comparison, they also say they'll release Cisco Prime Collaboration Deployment 14SU3 in May 2023 (check the table embedded in this article).
Moo_Cows - 1 year ago
The fixed firmware version 14.2.1 was released on January 18, 2023. We're running it in our organization.
https://imgur.com/a/Cijmiza - screenshot of the firmware download page from Cisco (it's only accessible if you have a Cisco account).
serghei - 1 year ago
Oh, well... It would've been nice if they also updated the advisory when they released the fixed firmware.
Will update the story to correctly tag it as a patched bug. Thanks!
Moo_Cows - 1 year ago
Agreed! Their advisory leaves much to be desired!