===================================================================== CERT-Renater Note d'Information No. 2014/VULN116 _____________________________________________________________________ DATE : 02/05/2014 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Cisco TelePresence System MXP Series Software, Cisco TelePresence TC and TE Software. ====================================================================== http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140430-mxp http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140430-tcte ______________________________________________________________________ Multiple Vulnerabilities in Cisco TelePresence System MXP Series Advisory ID: cisco-sa-20140430-mxp Revision 1.0 For Public Release 2014 April 30 16:00 UTC (GMT) Summary ======= Cisco TelePresence System MXP Series Software contains the following vulnerabilities: Three SIP denial of service vulnerabilities Three H.225 denial of service vulnerabilities Successful exploitation of these vulnerabilities may allow an attacker to cause system instability and the affected system to reload. Note: This security advisory does not provide information about the OpenSSL TLS Heartbeat Read Overrun Vulnerability identified by CVE-2014-0160 (also known as Heartbleed). For additional information regarding Cisco products affected by the Heartbleed vulnerability, refer to the Cisco Security Advisory available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140430-mxp _______________________________________________________________________ Multiple Vulnerabilities in Cisco TelePresence TC and TE Software Advisory ID: cisco-sa-20140430-tcte Revision 1.0 For Public Release 2014 April 30 16:00 UTC (GMT) Summary ======= Cisco TelePresence TC and TE Software are affected by the following vulnerabilities: Six Session Initiation Protocol (SIP) denial of service vulnerabilities Cisco TelePresence TC and TE Software DNS Buffer Overflow Vulnerability Cisco TelePresence TC and TE Software Input Validation Vulnerability Cisco TelePresence TC and TE Software tshell Command Injection Vulnerability Cisco TelePresence TC and TE Software Heap Overflow Vulnerability Cisco TelePresence TC and TE Software U-Boot Buffer Overflow Vulnerability Cisco TelePresence TC and TE Software Unauthenticated Serial Port Access Vulnerability Cisco TelePresence TC H.225 Denial of Service Vulnerability Successful exploitation of these vulnerabilities could allow an attacker to cause the affected system to reload, execute arbitrary commands or obtain privileged access to the affected system. Note: This security advisory does not provide information about the OpenSSL TLS Heartbeat Read Overrun Vulnerability identified by CVE-2014-0160 (also known as Heartbleed). For additional information on Cisco products affected by the Heartbleed vulnerability, refer to the Cisco Security Advisory available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140430-tcte ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================