SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (Multimedia)  >   Cisco TelePresence Vendors:   Cisco
Cisco TelePresence Immersive Endpoint Devices Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1027245
SecurityTracker URL:  http://securitytracker.com/id/1027245
CVE Reference:   CVE-2012-2486, CVE-2012-3074, CVE-2012-3075   (Links to External Site)
Date:  Jul 12 2012
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.9.1
Description:   Several vulnerabilities were reported in Cisco TelePresence Immersive Endpoint Devices. A remote user on an adjacent network can execute arbitrary code on the target system. A remote authenticated user can execute arbitrary commands on the target system.

A remote user on an adjacent network can send specially crafted Cisco Discovery Protocol packets to execute arbitrary code on the target system with elevated privileges [CVE-2012-2486].

Cisco has assigned Cisco bug ID CSCtz40953 to this vulnerability.

A remote user on an adjacent network can send a specially crafted request to TCP port 61460 to exploit a flaw in one of the Cisco TelePresence APIs and execute arbitrary commands on the underlying operating system with elevated privileges [CVE-2012-3074].

Cisco has assigned Cisco bug ID CSCtz38382 to this vulnerability.

A remote authenticated user can send specially crafted requests to the administrative web interface to execute arbitrary commands with elevated privileges [CVE-2012-3075].

Cisco has assigned Cisco bug ID CSCtn99724 to this vulnerability.
Impact:   A remote user on an adjacent network can execute arbitrary code on the target system.

A remote authenticated user can execute arbitrary commands on the target system.
Solution:   The vendor has issued a fix (1.9.1).

The vendor's advisory is available at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-cts
Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-cts (Links to External Site)
Cause:   Not specified
Underlying OS:  

Message History:   None.

 Source Message Contents
Date:  Wed, 11 Jul 2012 12:09:51 -0400
Subject:  Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Immersive Endpoint Devices

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Multiple Vulnerabilities in Cisco TelePresence Immersive Endpoint Devices

Advisory ID: cisco-sa-20120711-cts

Revision 1.0

For Public Release 2012 July 11 16:00  UTC (GMT)
+---------------------------------------------------------------------

Summary
=======

Cisco TelePresence Endpoint devices contain the following vulnerabilities:

 Cisco TelePresence API Remote Command Execution Vulnerability
 Cisco TelePresence Remote Command Execution Vulnerability
 Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability

Exploitation of the API Remote Command Execution vulnerability could
allow an unauthenticated, adjacent attacker to inject commands into
API requests.  The injected commands will be executed by the
underlying operating system in an elevated context.

Exploitation of the Remote Command Execution vulnerability could allow
an authenticated, remote attacker to inject commands into requests
made to the Administrative Web interface.  The injected commands will
be executed by the underlying operating system in an elevated context.


Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote
Code Execution Vulnerability may allow an unauthenticated, adjacent
attacker to execute arbitrary code with elevated privileges.

Cisco has released free software updates that address these vulnerabilities. 
There are no workarounds that mitigate these vulnerabilities. 

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-cts
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iF4EAREIAAYFAk/9lu0ACgkQUddfH3/BbTqlngD/QXo0Y0ds6xqOEA9HjbtVmqCB
u3xsHxnWro9ApV48wVoA/RTrZe8zBeFxEHss91AYC3bYXbTGltCP91audYSv6LUc
=PjIb
-----END PGP SIGNATURE-----
_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC