---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Cisco TelePresence Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43451 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43451/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43451 RELEASE DATE: 2011-03-13 DISCUSS ADVISORY: http://secunia.com/advisories/43451/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43451/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43451 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Cisco TelePresence products, which can be exploited by malicious users to cause a DoS (Denial of Service) and compromise a vulnerable system and by malicious people to disclose sensitive information, cause a DoS (Denial of Service), bypass certain security restrictions, and compromise a vulnerable system 1) An error when processing CGI requests can be exploited to inject arbitrary commands via a specially crafted request sent to TCP port 8082. 2) Some errors when processing CGI requests can be exploited to inject arbitrary commands via a specially crafted request sent to TCP port 443. Successful exploitation of this vulnerability requires valid credentials. 3) An error when handling TFTP GET requests can be exploited to disclose authentication and configuration information via a request sent to UDP port 69. 4) An error when handling SOAP requests can be exploited to inject an arbitrary IP address into a configuration file causing a certain service on a device to crash and become unusable via a specially crafted request sent to TCP port 8081 or 9501. Successful exploitation of this vulnerability requires an attacker to impersonate a Manager system. 5) An error when handling XML-RPC requests can be exploited to inject arbitrary commands via a specially crafted request sent to TCP port 61441 or 61445. Successful exploitation of this vulnerability requires an attacker to be within the same broadcast domain as the target. 6) An error when handling Cisco Discovery Protocol (CDP) packets can be exploited to cause a buffer overflow via a specially crafted ethernet frame sent to an affected device. 7) An error when handling SOAP requests can be exploited to invoke arbitrary methods within the SOAP interface without prior authentication via a specially crafted request sent to TCP port 8080 or 8443. 8) An error in the Java RMI interface can be exploited to inject arbitrary commands via a specially crafted request sent to TCP port 1100 or 32000. 9) An error when processing CGI requests can be exploited to inject arbitrary commands via a specially crafted request sent to TCP port 443. 10) Some errors within the Java Servlet framework can be exploited to access certain Java Servlets containing sensitive administrative information via requests sent to TCP ports 80, 443, or 8080. 11) An error in the administrative web interface can be exploited to upload a file to an arbitrary location on the device. 12) An error when processing XML-RPC requests can be exploited to overwrite an arbitrary file with logging data via a specially crafted request sent to TCP port 12102 or 12104. 13) An error in the administrative web interface can be exploited to access a certain Java Servlet resulting in a DoS condition on a device. Successful exploitation of this vulnerability requires valid credentials. 14) An error within the Java Servlet framework due to improper access restrictions to the Java RMI interface can be exploited to cause an out-of-memory condition via specially crafted requests sent to TCP port 8999. 15) An error when processing Real-Time Transport Control Protocol (RTCP) packets can be exploited to crash a certain control process via a specially crafted packet. Successful exploitation of this vulnerability requires knowing a UDP port associated with a listening RTCP control port, which is randomly assigned during a call setup process. 16) An error when processing certain XML-RPC requests can be exploited to cause a call geometry process to crash via a specially crafted request sent to TCP port 9000. This vulnerability is reported in versions prior to 1.7.2. 17) An error when handling certain requests can be exploited to cause all recording and playback threads to be consumed resulting in an unusable device. 18) An error within the XML-RPC interface of the Recording server due to lack of authentication can be exploited to perform certain actions that should be restricted to authorized users. The vulnerabilities are reported in versions prior to 1.7.1. SOLUTION: Update to version 1.7.2 when it becomes available in March 2011. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-cts.shtml http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctsman.shtml http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctms.shtml http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctrs.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------