10 - cisco-sa-20110223-telepresence-ctrs

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	Multiple Vulnerabilities in Cisco TelePresence Recording Server

Informations
Name	cisco-sa-20110223-telepresence-ctrs	First vendor Publication	2010-11-23
Vendor	Cisco	Last vendor Modification	2011-02-23
Severity (Vendor)	N/A	Revision	1.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Multiple vulnerabilities exist within the Cisco TelePresence Recording Server. This security advisory outlines details of the following vulnerabilities:

* Unauthenticated Java Servlet Access

* Common Gateway Interface (CGI) Command Injection

* Unauthenticated Arbitrary File Upload

* XML-Remote Procedure Call (RPC) Arbitrary File Overwrite

* Cisco Discovery Protocol Remote Code Execution

* Ad Hoc Recording Denial of Service

* Java Remote method Invocation (RMI) Denial of Service

* Unauthenticated XML-RPC Interface

Duplicate Issue Identification in Other Cisco TelePresence Advisories

The Unauthenticated Java Servlet Access vulnerability affects the Cisco TelePresence Multipoint Switch and Recording Server. The defect that is related to each component is covered in each associated advisory. The Cisco Bug IDs for these defects are as follows:

* Cisco TelePresence Multipoint Switch - CSCtf42008
* Cisco TelePresence Recording Server - CSCtf42005

The Unauthenticated Arbitrary File Upload vulnerability affects the Cisco TelePresence Multipoint Switch and Recording server. The defect that is related to each component is covered in each associated advisory. The Cisco Bug IDs for these defects are as follows:

* Cisco TelePresence Multipoint Switch - CSCth61065
* Cisco TelePresence Recording Server - CSCth85786

The Cisco Discovery Protocol Remote Code Execution vulnerability affects Cisco TelePresence endpoints, Manager, Multipoint Switch, and Recording Server. The defect that is related to each component is covered in each associated advisory. The Cisco Bug IDs for these defects are as follows:

* Cisco TelePresence endpoint devices - CSCtd75754
* Cisco TelePresence Manager - CSCtd75761
* Cisco TelePresence Multipoint Switch - CSCtd75766
* Cisco TelePresence Recording Server - CSCtd75769

The Java RMI Denial of Service vulnerability affects the Cisco TelePresence Multipoint Switch and Recording Server. The defect that is related to each component is covered in each associated advisory. The Cisco Bug IDs for these defects are as follows:

* Cisco TelePresence Multipoint Switch - CSCtg35825
* Cisco TelePresence Recording Server - CSCtg35830

Original Source

Url : http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6 (...)

CWE : Common Weakness Enumeration

%	Id	Name
29 %	CWE-399	Resource Management Errors
29 %	CWE-287	Improper Authentication
14 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer
14 %	CWE-94	Failure to Control Generation of Code ('Code Injection')
14 %	CWE-78	Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Type	Description	Count
Application	Cisco Adaptive Security Appliance Software cpe:2.3:a:cisco:adaptive_security_appliance_software:1.6.0:::::::*	1
Application	Cisco Telepresence Multipoint Switch Software cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.6.4:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.6.3:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.6.2:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.6.1:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.6.0:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.5.6:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.5.5:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.5.4:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.5.3:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.5.2:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.5.1:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.5.0:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.1.2:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.1.1:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.1.0:::::::* cpe:2.3:a:cisco:telepresence_multipoint_switch_software:1.0.4.0:::::::*	16
Application	Cisco Telepresence Recording Server Software cpe:2.3:a:cisco:telepresence_recording_server_software:1.7.1:::::::* cpe:2.3:a:cisco:telepresence_recording_server_software:1.7.0:::::::* cpe:2.3:a:cisco:telepresence_recording_server_software:1.6.3:::::::* cpe:2.3:a:cisco:telepresence_recording_server_software:1.6.2:::::::* cpe:2.3:a:cisco:telepresence_recording_server_software:1.6.1:::::::*	5
Application	Cisco Telepresence System Software cpe:2.3:a:cisco:telepresence_system_software:1.6.8:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.6.7:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.6.6:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.6.5:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.6.4:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.6.3:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.6.2:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.6.0:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.5.3:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.5.13:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.5.12:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.5.11:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.5.10:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.5.1:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.4.7:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.3.2:::::::* cpe:2.3:a:cisco:telepresence_system_software:1.2.3:::::::*	17
Hardware	Cisco 5500 Series Adaptive Security Appliance cpe:2.3:h:cisco:5500_series_adaptive_security_appliance::::::::	1
Hardware	Cisco Asa 5500 cpe:2.3:h:cisco:asa_5500::::::::	1
Hardware	Cisco Telepresence Multipoint Switch cpe:2.3:h:cisco:telepresence_multipoint_switch::::::::	1
Hardware	Cisco Telepresence Recording Server cpe:2.3:h:cisco:telepresence_recording_server::::::::	1
Hardware	Cisco Telepresence System 1000 cpe:2.3:h:cisco:telepresence_system_1000::::::::	1
Hardware	Cisco Telepresence System 1100 cpe:2.3:h:cisco:telepresence_system_1100::::::::	1
Hardware	Cisco Telepresence System 1300 Series cpe:2.3:h:cisco:telepresence_system_1300_series::::::::	1
Hardware	Cisco Telepresence System 3000 cpe:2.3:h:cisco:telepresence_system_3000::::::::	1
Hardware	Cisco Telepresence System 3200 Series cpe:2.3:h:cisco:telepresence_system_3200_series::::::::	1
Hardware	Cisco Telepresence System 500 Series cpe:2.3:h:cisco:telepresence_system_500_series::::::::	1

Open Source Vulnerability Database (OSVDB)

Id	Description
72607	Cisco TelePresence Recording Server XML-RPC Interface Unspecified Unauthentic...
72606	Cisco TelePresence Recording Server ad hoc Recording Malformed Request Remote...
72603	Cisco TelePresence Java Servlet RMI Interface Multiple Crafted Requests Remot...
72601	Cisco TelePresence XML-RPC Implementation Malformed Request File Overwrite Ar...
72600	Cisco TelePresence Administrative Web Interface Crafted Request Arbitrary Fil...
72598	Cisco TelePresence Java Servlet Framework Crafted Request Unauthenticated Com...
72597	Cisco TelePresence CGI Subsystem Unspecified Remote Command Injection
72594	Cisco Multiple Products Crafted Cisco Discovery Protocol (CDP) Packet Handlin...

Nessus® Vulnerability Scanner

Date	Description
2012-07-27	Name : The videoconferencing switch running on the remote host is affected by multip... File : cisco_tms_web_1_7_0.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
CWE ID(s)	7
CPE ID(s)	49
osvdb(s)	8
Nessus® Exploit(s)	1

	Related
10	CVE-2011-0385
10	CVE-2011-0383
10	CVE-2011-0382
9.3	CVE-2011-0386
7.9	CVE-2011-0379
7.8	CVE-2011-0391
7.8	CVE-2011-0388
7.5	CVE-2011-0392
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 8 more Alert(s)

10 - cisco-sa-20110223-telepresence-ctrs

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

CPE : Common Platform Enumeration

Open Source Vulnerability Database (OSVDB)

Nessus® Vulnerability Scanner

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU