CVE-2017-12337

Name of the Vulnerable Software and Affected Versions Cisco collaboration products based on the Cisco Voice Operating System software platform (affected versions not specified)

Description A vulnerability in the upgrade mechanism of Cisco collaboration products could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device. The issue occurs when a refresh upgrade or Prime Collaboration Deployment migration is performed, leaving an engineering flag enabled that could allow root access with a known password. An attacker who can access the device over SFTP while it is in a vulnerable state could gain root access, potentially compromising the system completely.

Recommendations For devices that have undergone a refresh upgrade or Prime Collaboration Deployment migration, consider upgrading to an Engineering Special Release, service update, or a new major release of the affected product using the standard upgrade method to remediate the vulnerability. As a temporary workaround, restrict access to the device over SFTP to minimize the risk of exploitation. Avoid using the standard upgrade method to install Engineering Special Releases as COP files, as this does not remediate the vulnerability.