Cisco Video Conference Vulnerabilities

Monday, May 18, 2015 @ 05:05 PM gHale


Cisco’s video conference products TelePresence TC and TE are vulnerable to attacks.

The list of affected products includes the MX Series, System EX Series, Integrator C Series, Profiles Series, Quick Set Series, System T Series and VX Clinical Assistant.

RELATED STORIES
Malware Delivers Trojan to Enterprises
Cisco Fixes Critical Vulnerability
Cisco Updates Vulnerabilities
Cisco Mitigates DoS Holes

As a result of this vulnerability, attackers could gain access to the systems and get elevated privileges or even bring down the device.

A security advisory released by the company on Wednesday said exploiting one of the security flaws, tracked as CVE-2014-2174, may lead to obtaining root access on the system, by bypassing authentication. As per the Common Vulnerability Scoring System (CVSS) , the base severity score calculated for this flaw is 8.3 out of 10.

The assault is not a total slam dunk as one of the requirements to get in is for the attacker to initiate exploitation from the broadcast or collision domains. That means the network has to suffer a compromise or there has to be physical access to the system.

The cause of the glitch is improper implementation of authentication and authorization controls for internal services.

A second problem, CVSS score of 7.8, is rendering the affected device inoperable by causing a denial-of-service (DoS) condition.

Leveraging the glitch can occur by sending specially crafted IP packets successively, at a high rate.

The issue, identified as CVE-2015-0722, is in the network drivers and consists of insufficient implementation of flood controls. The end result of a successful exploitation is the possibility of restarting several running processes from a remote location.

Cisco released a free software update for TelePresence TC release 7.1, which mitigates the authentication bypass issue, and 7.3.2 that eliminates the DoS risk. Cisco TelePresence TE software does not benefit from a fix for either vulnerability.

The developer said users relying on System T Series have to switch to newer hardware in order to implement the latest patches for TelePresence.



Leave a Reply

You must be logged in to post a comment.