Cisco has issued software updates to address multiple vulnerabilities in a number of its TelePresence products.
One vulnerability is in the web framework and is due to insufficient input validation, according to a Wednesday advisory. It could be exploited by a remote, authenticated attacker to execute system commands with root user privileges.
“An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected parameter in a web page,” the advisory stated. “Administrative privileges are required in order to access the affected parameter.”
The following TelePresence products are affected when running vulnerable software: Advanced Media Gateway Series, IP Gateway Series, IP VCR Series, ISDN Gateway, MCU 4200 Series, MCU 4500 Series, MCU 5300 Series, MCU MSE 8420, MCU MSE 8510, Serial Gateway Series, Server 7010, Server MSE 8710, Server on Multiparty Media 310, Server on Multiparty Media 320, and Server on Virtual Machine.
Additionally, TelePresence TC and TE Software contains an authentication bypass vulnerability – due to improper implementation of authentication and authorization controls for internal services – that could be exploited by an attacker to gain root user privileges.
“[The vulnerability] could allow an unauthenticated attacker within the broadcast or collision domains, or with physical access to the system, to bypass authentication and obtain root user access to the affected system,” a second advisory said.
TelePresence TC and TE Software also contains a crafted packets denial of service vulnerability – due to insufficient implementation of flood controls – that could enable an attacker to cause processes to restart and potentially reload the system.
“The vulnerability is due to insufficient implementation of flood controls,” according to the second advisory. “An attacker could exploit this vulnerability by sending crafted IP packets at a high rate.”
The following TelePresence products are affected when running vulnerable software: MX Series, System EX Series, Integrator C Series, Profiles Series, Quick Set Series, System T Series, and VX Clinical Assistant. TE Software is affected only when running on Cisco TelePresence System EX Series devices. System T Series is end-of-life and no fix is available.