Cisco Patches Critical Bug In Video Conferencing Server Hardware

A vulnerability in Cisco’s meeting server software allows a remote attacker to masquerade as legit user.

On Wednesday Cisco Systems patched a critical vulnerability found in its Cisco Meeting Server hardware, a key component in its enterprise audio, web and video conferencing service.

The flaw, according to a Cisco Security Advisory, could allow an unauthenticated remote attacker to masquerade as a legitimate user. “A successful exploit could allow an attacker to access the system as another user,” according to Cisco.

The vulnerability impacts versions of Cisco Meeting Server (CMS) prior to version 2.0.6. Cisco said the vulnerability is traced to the CMS service’s Extensible Messaging and Presence Protocol, which tracks a user’s availability status and communications capabilities. The flaw (CVE-2016-6445) also impacts versions of Cisco’s Acano Servers (1.9.6 and 1.8.18).

Cisco patched the vulnerability and also provided a workaround effective at mitigating the flaw in “some environments.”

Cisco’s security advisory also included five additional warnings, each rated at a medium risk. Some of those vulnerabilities include a DoS flaw (CVE-2016-6437) in its Cisco Wide Area Application Services, an iFrame data clickjacking bug (CVE-2016-6440) in its Cisco Unified Communications Manager and a cross-site request forgery vulnerability (CVE-2016-6442) in its Finesse Agent and Supervisor Desktop Software.

Last week, Cisco warned users of its Nexus 7000-series switches and its NX-OS software of several patches addressing critical software flaws in those products.

Suggested articles