Cisco Prime Collaboration Provisioning Unauthorized Password Change Denial of Service Vulnerability [CVE-2018-0391]

CVE Number –  CVE-2018-0391

A vulnerability in the password change function of Cisco Prime Collaboration Provisioning could allow an authenticated, remote attacker to cause the system to become inoperable.

The vulnerability is due to insufficient validation of a password change request. An attacker could exploit this vulnerability by changing a specific administrator account password. A successful exploit could allow the attacker to cause the affected device to become inoperable, resulting in a denial of service (DoS) condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180801-pcp-dos

Affected Products
  • Vulnerable Products

    This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 12.2 and prior.

    Administrators can determine the current PCP release from the Cisco PCP GUI:

    1. Log in to Cisco PCP
    2. Click the settings icon near the top right of the screen
    3. Click About

    The release information is also displayed on the login screen.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Workarounds
  • There are no workarounds that address this vulnerability.

Fixed Software
  • Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.



Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: