Cisco TelePresence Multiple Vulnerabilities
Last Update Date:
13 Jul 2012
Release Date:
12 Jul 2012
4433
Views
RISK: Medium Risk
TYPE: Clients - Im, Chat & Voip
Multiple vulnerabilities have been identified in Cisco TelePresence.
- A remote user on the adjacent network can send specially crafted Cisco Discovery Protocol packets to trigger a buffer overflow and execute arbitrary code on the target system with elevated privileges. (Cisco TelePresence Recording Server, Immersive Endpoint devices, Recording Server, TelePresense Manager and Multipoint Switch)
- A remote user can send a sequence of specially crafted IP packets and TCP connection requests or terminations at a high rate to prevent the target device from responding to new connection requests. Some services and processes may crash. (Cisco TelePresence Recording Server, TelePresence Manager and Multipoint Switch)
- An error within the administrative web interface can be exploited to inject and execute arbitrary commands. (Cisco TelePresence Recording Server and Immersive Endpoint devices)
- An error within a Cisco TelePresence API can be exploited to inject and execute arbitrary commands via a specially crafted request to TCP port 61480. (Cisco TelePresence Immersive Endpoint devices)
Impact
- Denial of Service
- Remote Code Execution
System / Technologies affected
- Versions prior to 1.9.0 for Cisco TelePresence Manager and Cisco TelePresence Multipoint Switch
- Versions prior to 1.8.1 for Cisco TelePresence Recording Server
- Versions prior to 1.9.1 for Cisco TelePresence Immersive Endpoint devices
- Versions prior to 1.8.0 for Cisco TelePresence Recording Server Denial of Service Vulnerability
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- The vendor has issued a fix (1.9.0) for Cisco TelePresence Manager and Cisco TelePresence Multipoint Switch
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-ctms - The vendor has issued a fix (1.8.1) for Cisco TelePresence Recording Server
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-ctrs - The vendor has issued a fix (1.9.1) for Cisco TelePresence Immersive Endpoint devices
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-cts - No official solution is currently available for Cisco TelePresence Recording Server Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-ctrs
Vulnerability Identifier
Source
Related Link
Share with