A trio of security flaws open the door to remote-code execution and a malware tsunami.
The Akkadian Provisioning Manager, which is used as a third-party provisioning tool within Cisco Unified Communications environments, has three high-severity security vulnerabilities that can be chained together to enable remote code execution (RCE) with elevated privileges, researchers said.
They remain unpatched, according to the researchers at Rapid7 who discovered them.
Cisco’s UC suite enables VoIP and video communications across business footprints. The Akkadian product is an appliance that’s typically used in large enterprises to help manage the process of provisioning and configuring all of the UC clients and instances, via automation.
The issues, all present in version 4.50.18 of the Akkadian platform, are as follows:
CVE-2021-31579: Use of hard-coded credentials (ranking 8.2 out of 10 on the CVSS vulnerability-severity scale)
CVE-2021-31580 and CVE-2021-31581: Improper neutralization of special elements used in an OS command (using exec and vi commands, respectively; ranking 7.9)
CVE-2021-31582: Exposure of sensitive information to an unauthorized actor (ranking 7.9)
Combining CVE-2021-31579 with either CVE-2021-31580 or CVE-2021-31581 will allow an unauthorized adversary to gain root-level shell access to affected devices, according to Rapid7. That makes it easy to install cryptominers, keystroke loggers, persistent shells and any other type of Linux-based malware.