Cisco has revealed that it had inadvertently shipped two of its softwares with in-house exploit code. These exploit codes were used in security tests of scripts as part of Cisco’s Expressway Series Software and TelePresence Video Communication Server image versions X8.9 through X8.11.3.
The exploit code left out in the shipped softwares exploited the dirty copy-on-write (CoW) vulnerability. This vulnerability had been revealed for Linux Kernel back in 2016. The code was used by the networking company internally to ensure that the softwares were protected against known exploits but due to a failure in a final QA validation step, someone at Cisco forgot to remove the code before the release.
Cisco in its advisory has said that: “The affected software images have proactively been removed from the Cisco Software Center and will soon be replaced with fixed software images. Bug ID CSCvn17278 has been opened to track this issue.”
If the customers still want access to the affected software images they will have to open a case with the Cisco TAC and submit a request for “Special File Access” to download the software images.
Cisco has although confirmed that the code does not pose any security threat due to the dormancy of the code. The company further added that the softwares with the exploit codes also carry the patches with them.