Cisco Security AdvisoryThe
vulnerability is due to insufficient validation of parameters passed
during the login process. An attacker could exploit this vulnerability
by sending a crafted request to the system. An exploit could allow the attacker to bypass the authentication
controls and successfully log in to the system. An attacker would need to
have knowledge of a valid username. The attacker will receive the privilege of that user after logging in. This vulnerability could give the attacker administrative access to the affected system.
Critical
Advisory ID:
cisco-sa-20150311-vcs
First Published:
2015 March 11 16:00 GMT
Version 1.0:
Workarounds:
Cisco Bug IDs:
CVSS Score:
Base 10.0,
Temporal 8.3
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
-
Cisco TelePresence Video Communication Server (VCS), Cisco Expressway and Cisco TelePresence Conductor contain the following vulnerabilities:
- SDP Media Description Denial of Service Vulnerability
- Authentication Bypass Vulnerability
Successful exploitation of the Authentication Bypass Vulnerability may allow an attacker to bypass authentication and log in to the system with the privileges of an administrator.
Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150311-vcs
-
Vulnerable Products
These vulnerabilities apply to the following products running an affected version of software:
- Cisco TelePresence VCS Control
- Cisco TelePresence VCS Expressway
- Cisco TelePresence VCS Starter Pack Expressway
- Cisco Expressway Core
- Cisco Expressway Edge
- Cisco TelePresence Conductor
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Cisco TelePresence VCS extends the benefits of face-to-face video collaboration across networks and organizations by supporting any-to-any video and telepresence communications.
Cisco Expressway is designed specifically for comprehensive collaboration services provided through Cisco Unified Communications Manager, Cisco Business Edition, or Cisco Hosted Collaboration Solution. It features established firewall-traversal technology and helps redefine traditional enterprise collaboration boundaries.
Cisco TelePresence Conductor simplifies multiparty video collaboration by orchestrating the allocation of conferencing resources for every user in a meeting.
SDP Media Description Denial of Service Vulnerability
A vulnerability in the Session Description Protocol (SDP) packet handler function could allow an unauthenticated, remote attacker to trigger a reload of the affected system.
The vulnerability is due to improper handling of an exception when receiving crafted SDP packets. An attacker could exploit this vulnerability by sending crafted SDP packets to the affected system.
Note: This vulnerability can be triggered by SDP messages sent via UDP or TCP. Messages sent via Transport Layer Security (TLS) will also be affected. The default ports for UDP and TCP deployments are UDP port 5060 and TCP port 5060. The default port for TLS deployment is TCP port 5061. This vulnerability can be triggered via IP version 4 (IPv4) and IP version 6 (IPv6) packets.
This vulnerability is documented in Cisco bug ID CSCus96593 (registered customers only) for Cisco TelePresence VCS and Cisco Expressway and Cisco bug ID CSCun73192 (registered customers only) for Cisco TelePresence Conductor.
This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2015-0652.
Authentication Bypass Vulnerability
A vulnerability in the authentication code could allow an unauthenticated, remote attacker to bypass the system login and successfully authenticate to the system.
Note: This vulnerability can be exploited over HTTPS only and targeting the management interface of the affected system. A valid TCP handshake is needed to exploit this vulnerability. This vulnerability can be triggered via IPv4 and IPv6 packets.
This vulnerability is documented in Cisco bug ID CSCur02680 (registered customers only) for Cisco TelePresence VCS and Cisco Expressway and Cisco bug ID CSCur05556 (registered customers only) for Cisco TelePresence Conductor
This vulnerability has been assigned CVE ID CVE-2015-0653.
-
There are no workarounds that mitigate the vulnerabilities described in this advisory.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory:
http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=37541
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
The following table summarizes the first fixed release for both vulnerabilities in Cisco TelePresence VCS, Cisco Expressway, and Cisco TelePresence Conductor software. The Recommended Release row gives information on the recommended release that resolves all the vulnerabilities in this security advisory.
Cisco TelePresence VCS and Cisco Expressway First Fixed Releases
Cisco TelePresence Conductor First Fixed Releases
SDP Media Description Denial of Service Vulnerability
X8.2 and later
XC2.4 and later
Authentication Bypass Vulnerability
X7.2.4, X8.1.2, X8.2.2, X8.5 and later
X2.3.1, XC2.4.1, XC3.0 and later Recommended Release
X8.5.1 and later XC3.0.2 and later
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
The Authentication Bypass Vulnerability was reported to Cisco by Andrey Medov of Positive Technologies company (Positive Research Center).
The SDP Media Description Denial of Service Vulnerability was found during the resolution of support cases.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.0 2015-March-11 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.