14 DAY TRIAL // Certain versions of Cisco’s video conference products TelePresence TC and TE are vulnerable to attacks that could allow someone to access the systems with elevated privileges or to bring down the device.
The list of affected products includes the MX Series, System EX Series, Integrator C Series, Profiles Series, Quick Set Series, System T Series and VX Clinical Assistant.
Perpetrator needs to be in the network
A security advisory released by the company on Wednesday informs that successful exploitation of one of the security flaws, tracked as CVE-2014-2174, may lead to obtaining root access on the system, by bypassing authentication.
As per the Common Vulnerability Scoring System, the base severity score calculated for this flaw is 8.3 out of 10.
One prerequisite for the attack to work is for the intruder to initiate exploitation from the broadcast or collision domains, which means that the network has to be compromised; alternatively, physical access to the system is required.
The cause of the glitch is improper implementation of authentication and authorization controls for internal services.
IP packet flood triggers denial of service condition
A second problem (CVSS severity score 7.8) detailed in the advisory refers to rendering the affected device inoperable by causing a denial-of-service (DoS) condition.
Leveraging the glitch can be done by sending specially crafted IP packets successively, at a high rate.
The issue, identified as CVE-2015-0722, resides in the network drivers and consists in insufficient implementation of flood controls; the consequence of successful exploitation is the possibility to restart several running processes from a remote location.
Not all products receive the patch
Cisco released a free software update for TelePresence TC release 7.1, which mitigates the authentication bypass issue, and 7.3.2 that eliminates the DoS risk. Cisco TelePresence TE software does not benefit from a fix for either vulnerability.
The developer says that customers relying on System T Series have to switch to newer hardware in order to implement the latest patches for TelePresence.