==================================================================== CERT-RenaterProducts Note d'Information No. 2015/VULN086 _____________________________________________________________________ DATE : 15/05/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Cisco TelePresence Products. ====================================================================== http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150513-tc ______________________________________________________________________ Cisco Security Advisory: Command Injection Vulnerability in Multiple Cisco TelePresence Products Advisory ID: cisco-sa-20150513-tp Revision 1.0 For Public Release 2015 May 13 16:00 UTC (GMT) +---------------------------------------------------------------------- Summary ======= A vulnerability in the web framework of multiple Cisco TelePresence products could allow an authenticated, remote attacker to inject arbitrary commands that are executed with the privileges of the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected parameter in a web page. Administrative privileges are required in order to access the affected parameter. A successful exploit could allow an attacker to execute system commands with the privileges of the root user. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150513-tp _____________________________________________________________________ Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence TC and TE Software Advisory ID: cisco-sa-20150513-tc Revision 1.0 For Public Release 2015 May 13 16:00 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco TelePresence TC and TE Software contains the following vulnerabilities: Cisco TelePresence TC and TE Software Authentication Bypass Vulnerability Cisco TelePresence TC and TE Software Crafted Packets Denial of Service Vulnerability Successful exploitation of the Cisco TelePresence TC and TE Software Authentication Bypass Vulnerability could allow an attacker to bypass system authentication and access the device with the privileges of the root user. Successful exploitation of the Cisco TelePresence TC and TE Software Crafted Packets Denial of Service Vulnerability could allow an attacker to restart several processes and possibly trigger a reload of the affected system. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150513-tc ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================