Cisco revealed that it had “inadvertently” shipped an in-house exploit code that was used in test scripts as part of its TelePresence Video Communication Server and Expressway Series software.
Cisco Systems revealed in a security bulletin Wednesday that it “inadvertently” shipped in-house exploit code that was used in security tests of scripts as part of its TelePresence Video Communication Server and Expressway Series software.
The code exploits the Dirty Cow vulnerability (CVE-2016-5195), a well-known privilege escalation vulnerability in the Linux Kernel, which came to light in 2016.
The code was used internally by Cisco in validation scripts to be included in shipping software images – it was used to ensure that Cisco’s software is protected against known exploits. However, there was a failure in the final QA validation step of the software, and as a result someone from Cisco forgot to remove the code before release.
“The presence of the sample, dormant exploit code does not represent nor allow an exploitable vulnerability on the product, nor does it present a risk to the product itself as all of the required patches for this vulnerability have been integrated into all shipping software images,” Cisco wrote in its advisory.
The blunder was discovered during internal security testing.
“A failure in the final QA validation step of the automated software build system for the Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) software inadvertently allowed a set of sample, dormant exploit code used internally by Cisco in validation scripts to be included in shipping software images,” the company said in an advisory. “This includes an exploit for the Dirty CoW vulnerability (CVE-2016-5195). The purpose of this QA validation step is to make sure the Cisco product contains the required fixes for this vulnerability.”
Cisco said that it is not aware of “malicious use of the issue” and that the issue does not open the impacted software (Cisco Expressway Series and Cisco TelePresence Video Communication Server image versions X8.9 through X8.11.3) to any sort of attack. “The impacted software images will be removed and will be replaced by fixed images,” the company said. It did not specify when.
Dirty Cow was patched in 2016 after it was discovered in public exploits. The vulnerability was found in the copy-on-write (COW) feature in Linux and could be used by an attacker with local access to obtain root privileges on a Linux or Android device.