Cisco Systems is warning customers of a critical vulnerability affecting three of its TelePresence MCU platform models. The flaw could give attackers the ability to remotely execute code on impacted systems or create conditions favorable to a denial-of-service (DoS) attack.
According to an advisory issued this week, the vulnerability (CVE-2017-3792) is tied to a proprietary device driver in the kernel of the Cisco TelePresence Multipoint Control Unit (MCU) Software used in platform models 4500, MSE 8510 and 5300 Series.
“The vulnerability is due to improper size validation when reassembling fragmented IPv4 or IPv6 packets,” wrote Cisco in its bulletin. Affected systems are those running software version 4.3(1.68) or later configured for “Passthrough” content mode.
Cisco has issued two patches for MSE 8510 and 5300 Series users. However, it said it will not issue a patch for the affected TelePresence MCU 4500 platform. That platform, Cisco said, “has reached the end-of-software maintenance milestone on July 9, 2016.”
Cisco’s TelePresence MCU platform is the company’s high-definition multimedia conferencing bridge that works with a variety of different vendor endpoint systems.
Cisco also released two additional alerts for vulnerabilities rated high in additional products.
One of the vulnerabilities is in the company’s Cisco Expressway Series and Cisco TelePresence Video Communication Server. The server is designed to help Cisco TelePresence customers manage, secure and improve the quality of teleconferencing.
The vulnerability is present when the server parses received packets in such a way that it can create conditions where “software could allow an unauthenticated, remote attacker to cause a reload of the affected system, resulting in a denial of service (DoS) condition,” according to the security alert.
“The vulnerability is due to insufficient size validation of user-supplied data. An attacker could exploit this vulnerability by sending crafted H.224 data in Real-Time Transport Protocol (RTP) packets in an H.323 call,” Cisco describes. A possible consequence is an attacker overflowing a “buffer in a cache that belongs to the received packet parser, which will result in a crash of the application, resulting in a DoS condition.”
For this bug (CVE-2017-3790), Cisco is offering a patch, and no workaround. All versions of Cisco Expressway Series Software and Cisco TelePresence VCS Software prior to version X8.8.2 are vulnerable, according to Cisco.
Lastly, Cisco also issued a high severity vulnerability alert for its Adaptive Security Appliance (ASA) CX Context-Aware Security module, one of the company’s firewall products designed to give admin visibility into users connecting to the network, the type of devices on the network and applications used.
“A vulnerability in the data plane IP fragment handler of the Adaptive Security Appliance (ASA) CX Context-Aware Security module could allow an unauthenticated, remote attacker to cause the CX module to be unable to process further traffic, resulting in a denial of service (DoS) condition,” according to Cisco.
The vulnerability (CVE-2016-9225) is due to improper handling of IP fragments, explains Cisco. In one scenario, an attacker could send fragmented IP traffic through the CX module and exhaust free buffers in shared memory resulting in conditions favorable to a DoS attack.
Cisco said no patch or workaround is being released to address this vulnerability because the product has “entered the end-of-life process,” Cisco wrote. The company is advising affected customers to migrate to one of its more recent solutions.
Cisco said it is unaware that any of the above vulnerabilities have been publicly exploited.
Earlier this week, Cisco released a patch for its WebEx Chrome Plugin, used by tens of millions for web conferencing in business environments, that exposed computers to remote code execution.
