Cisco revealed that it had “inadvertently” shipped an in-house exploit code that was used in test scripts as part of its TelePresence Video Communication Server and Expressway Series software.
Cisco Systems revealed in a security bulletin Wednesday that it “inadvertently” shipped in-house exploit code that was used in security tests of scripts as part of its TelePresence Video Communication Server and Expressway Series software. The code exploits the Dirty Cow vulnerability (CVE-2016-5195), a well-known privilege escalation vulnerability in the Linux Kernel, which came to light in 2016.
The code was used internally by Cisco in validation scripts to be included in shipping software images – it was used to ensure that Cisco’s software is protected against known exploits. However, there was a failure in the final QA validation step of the software, and as a result someone from Cisco forgot to remove the code before release.