Cisco Patches Critical Flaws in Elastic Services Controller and UCDM

Cisco Systems has released security updates for its Unified Communications Domain Manager (UCDM) and Elastic Services Controller (ESC) products to address critical vulnerabilities.

The vulnerability fixed in UCDM, which is used for unified communications and collaboration services in large enterprises, can allow attackers to bypass security protections, gain elevated privileges and execute arbitrary code.

The flaw stems from an insecure key generation mechanism during the application’s configuration and allows an attacker to send arbitrary requests to applications using the known insecure key value.

The vulnerability was found during internal security testing and was fixed in Cisco UCDM versions 11.5(2) and later, which can be downloaded from Cisco’s software service center. Customers who don’t have an active service contract should contact the company to obtain an update.

An authentication bypass vulnerability has also been fixed in the web-based service portal of the Cisco Elastic Services Controller software. ESC is used to manage the large-scale virtualization of network functions, including service monitoring, auto-recovery and dynamic scaling.

The flaw is quite basic and easy to exploit because it allows an unauthenticated remote attacker to log in to the portal with administrative permissions by supplying an empty password. Cisco advises customers to upgrade to ESC 3.1.0.

The new ESC release also addresses a high-risk vulnerability that stems from the use of static default credentials. Attackers can extract these credentials from a software image and use them to generate a valid administrative session token.

On Feb. 21, Cisco also patched medium-risk cross-site scripting vulnerabilities in Cisco Data Center Analytics Framework, Cisco Jabber Client Framework for Windows and Mac, Cisco Prime Collaboration Provisioning Tool, Cisco Prime Service Catalog and Cisco Unified Communications Manager. Denial-of-service issues were also fixed in Cisco Unified Customer Voice Portal and Cisco Prime Collaboration Provisioning Tool Web Portal.

Finally, the company fixed a cross-site request forgery flaw in Cisco UCS Director and Cisco Integrated Management Controller Supervisor and a mail relay vulnerability in Cisco Unity Connection.

SEC Tells Company Execs to Stop Trading During Security Investigations

Over the past year, it came to light that executives from both Equifax and Intel sold considerable amounts of stock while the companies were investigating major cybersecurity incidents: Equifax a massive data breach and Intel critical vulnerabilities in its processors (Meltdown and Spectre). Now, the U.S. Securities and Exchange Commission is advising companies to make sure such trading doesn’t happen.

“Public companies should have policies and procedures in place to (1) guard against directors, officers, and other corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident, and (2) help ensure that the company makes timely disclosure of any related material nonpublic information,” the SEC said in a new cybersecurity guidance document. “In addition, we believe that companies are well served by considering the ramifications of directors, officers, and other corporate insiders trading in advance of disclosures regarding cyber incidents that prove to be material.”

On the other hand, the SEC said that company directors and officers should be informed about cybersecurity risks and incidents that their companies have faced or are likely to face, as this is the best way to create effective disclosure procedures for such incidents.

“Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack,” the SEC said.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin