Cisco has patched a number of vulnerabilities in its TelePresence products, the most serious of which allow a remote hacker to inject commands into a device and gain root privileges.
TelePresence products link remote locations with audio, video and other collaboration tools. Cisco said none of the vulnerabilities is being publicly exploited.
The command injection flaw affects the Web framework of a long list of TelePresence products; an attacker would need to be authenticated to take advantage of the input validation vulnerability. Cisco said there are no workarounds available.
“The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected parameter in a web page. Administrative privileges are required in order to access the affected parameter,” Cisco said. “A successful exploit could allow an attacker to execute system commands with the privileges of the root user.”
Cisco published a list of known affected products in its advisory, which includes:
- Cisco TelePresence Advanced Media Gateway Series
- Cisco TelePresence IP Gateway Series
- Cisco TelePresence IP VCR Series
- Cisco TelePresence ISDN Gateway
- Cisco TelePresence MCU 4200 Series
- Cisco TelePresence MCU 4500 Series
- Cisco TelePresence MCU 5300 Series
- Cisco TelePresence MCU MSE 8420
- Cisco TelePresence MCU MSE 8510
- Cisco TelePresence Serial Gateway Series
- Cisco TelePresence Server 7010
- Cisco TelePresence Server MSE 8710
- Cisco TelePresence Server on Multiparty Media 310
- Cisco TelePresence Server on Multiparty Media 320
- Cisco TelePresence Server on Virtual Machine
A separate alert from the networking giant warned of security vulnerabilities specific to the Cisco TelePresence TC and TE software packages, leading an attacker to bypass authentication or crash the device leading to a denial of service condition.
An attacker exploiting the authentication bypass vulnerability would have access to a TelePresence device and assume root privileges.
“The vulnerability is due to the improper implementation of authentication and authorization controls for internal services. An attacker could exploit this vulnerability by connecting to the affected service,” Cisco said.
The denial of service vulnerability would allow a hacker to restart processes or trigger a reload of the system, Cisco said.
“The vulnerability is due to insufficient implementation of flood controls. An attacker could exploit this vulnerability by sending crafted IP packets at a high rate,” Cisco said.
Cisco said the Cisco TelePresence MX Series, Cisco TelePresence System EX Series,Cisco TelePresence Integrator C Series, Cisco TelePresence Profiles Series, Cisco TelePresence Quick Set Series, Cisco TelePresence System T Series, and Cisco TelePresence VX Clinical Assistant are affected.
TelePresence TE software is affected only on TelePresence System EX Series devices, the company said, adding that it would not patch T series since it is end-of-life.