Detections
Analytics
Cisco Finesse Unauthorized Access (cisco-sa-20171115-vos)
critical Nessus Plugin ID 130095
Language:
Synopsis
The remote host is missing a vendor-supplied security patch.Description
According to its self-reported version, the Cisco Finesse Software is affected by an unauthorized access vulnerability. The vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device. The vulnerability occurs when a refresh upgrade (RU) or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password.Please see the included Cisco BIDs and Cisco Security Advisory for more information
Solution
Apply the patch or upgrade to the version recommended in Cisco bug ID CSCvg64475See Also
Plugin Details
Severity: Critical
ID: 130095
File Name: cisco-sa-20171115-vos-finesse.nasl
Version: 1.2
Type: local
Family: CISCO
Published: 10/21/2019
Updated: 10/30/2019
Configuration: Enable paranoid mode
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2017-12337
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:cisco:finesse
Required KB Items: installed_sw/Cisco VOSS Finesse, Settings/ParanoidReport
Exploit Ease: No known exploits are available
Patch Publication Date: 11/15/2017
Vulnerability Publication Date: 11/15/2017
Reference Information
CVE: CVE-2017-12337
CISCO-SA: cisco-sa-20171115-vos
CISCO-BUG-ID: CSCvg64475