Cisco patched authentication, privilege escalation, and denial-of-service vulnerabilities this week in several of its products, including one that’s used for identifying the location of 9-1-1 emergency callers.
The flaw in Cisco Emergency Responder is caused by the presence of default static credentials for the root account that were used during development but were never removed. Users cannot change or remove these credentials, presenting a permanent backdoor that would allow attackers to execute commands on the affected systems with the highest possible privileges.
Cisco Emergency Responder works together with Cisco Unified Communications Manager to enhance its 9-1-1 functionality by identifying the location of emergency callers so the calls can be routed to the appropriate public safety answering point. It also allows emergency responders to dynamically monitor caller or phone location changes.
The static root credentials are only present in the 12.5(1)SU41 version of the software and was fixed in 12.5(1)SU5. Release 14 of the firmware, as well as releases 11.5 and earlier are not impacted. The flaw, tracked as CVE-2023-20101, is rated as critical.
Cisco API endpoint vulnerability could lead to DoS attack
Another vulnerability that affects Cisco Emergency Responder, as well as several other Cisco Unified Communications products is in an API endpoint and can lead to a denial-of-service condition. The flaw can be exploited without authentication by sending specifically crafted requests to the vulnerable API endpoint in order to trigger high CPU utilization. This in turn could prevent access to the web-based management interface of the devices or lead to delays in call processing.
The vulnerability, tracked as CVE-2023-20259, is rated as high severity and affects Emergency Responder, Prime Collaboration Deployment, Unified Communications Manager (Unified CM), Unified Communications Manager IM & Presence Service (Unified CM IM&P), Unified Communications Manager Session Management Edition (Unified CM SME) and Unity Connection. Cisco has released firmware updates for all impacted systems.
