Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Multiple Vulnerabilities in Cisco TelePresence Immersive Endpoint Devices
Informations
Name cisco-sa-20120711-cts First vendor Publication 2012-07-11
Vendor Cisco Last vendor Modification 2012-07-11
Severity (Vendor) N/A Revision 1.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score 9 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Cisco TelePresence Endpoint devices contain the following vulnerabilities:

Cisco TelePresence API Remote Command Execution Vulnerability Cisco TelePresence Remote Command Execution Vulnerability Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability

Exploitation of the API Remote Command Execution vulnerability could allow an unauthenticated, adjacent attacker to inject commands into API requests. The injected commands will be executed by the underlying operating system in an elevated context.

Exploitation of the Remote Command Execution vulnerability could allow an authenticated, remote attacker to inject commands into requests made to the Administrative Web interface. The injected commands will be executed by the underlying operating system in an elevated context.

Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges.

Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-cts BEGIN PGP SIGNATURE Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org

iF4EAREIAAYFAk/9lu0ACgkQUddfH3/BbTqlngD/QXo0Y0ds6xqOEA9HjbtVmqCB u3xsHxnWro9ApV48wVoA/RTrZe8zBeFxEHss91AYC3bYXbTGltCP91audYSv6LUc =PjIb END PGP SIGNATURE _______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com

CWE : Common Weakness Enumeration

% Id Name
67 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)
33 % CWE-94 Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 42
Application 68
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 2
Hardware 1
Hardware 1
Hardware 1
Hardware 1

Information Assurance Vulnerability Management (IAVM)

Date Description
2012-07-19 IAVM : 2012-B-0070 - Multiple Vulnerabilities in Cisco TelePresence
Severity : Category I - VMSKEY : V0033371

Nessus® Vulnerability Scanner

Date Description
2013-09-20 Name : The remote host is missing a vendor-supplied security patch.
File : cisco-sa-20120711-ctms.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2013-11-11 12:37:30
  • Multiple Updates
2013-02-06 19:08:00
  • Multiple Updates