Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Cisco TelePresence Bugs Permits Cross-Site Scripting and Denial of Service Attacks
SecurityTracker Alert ID: 1026072|
SecurityTracker URL: http://securitytracker.com/id/1026072
(Links to External Site)
Date: Sep 19 2011
Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): C Series TC4.1.2 and prior versions; MXP Series F9.1 and prior versions|
Two vulnerabilities were reported in Cisco TelePresence. A remote user can cause denial of service conditions. A remote user can conduct cross-site scripting attacks.|
The Endpoint web interface does not properly filter HTML code from user-supplied input before displaying the input [CVE-2011-2544]. A remote user can create a specially crafted Call ID value that, when viewed by a target authenticated user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Cisco TelePresence interface and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Cisco has assigned Cisco Bug ID CSCtq46488 to this vulnerability.
The getXML handle does not properly validate user-supplied input. A remote user can load a specially crafted URL to cause the target Endpoint to reboot [CVE-2011-2543].
Cisco has assigned Cisco Bug ID CSCtq46496 to this vulnerability.
David Klein of Sense of Security Labs reported these vulnerabilities.
A remote user can cause the target endpoint to reboot.|
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Cisco TelePresence interface, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor has issued a fix [see Cisco Bug IDs CSCtq46488 and CSCtq46496].|
[Editor's note: No security advisory was available at the time of this entry.]
Vendor URL: www.cisco.com/ (Links to External Site)
Input validation error|
Source Message Contents
Date: Mon, 19 Sep 2011 17:55:02 +1000|
Subject: Cisco TelePresence Multiple Vulnerabilities - SOS-11-010
Sense of Security - Security Advisory - SOS-11-010
Release Date. 19-Sep-2011
Last Update. -
Vendor Notification Date. 21-Feb-2011
Product. Cisco TelePresence Series
Affected versions. C <= TC4.1.2, MXP <= F9.1
Severity Rating. Low - Medium
Impact. Cookie/credential theft,
loss of confidentiality,
client-side code execution,
denial of service.
Solution Status. Vendor patch
References. 1. CVE-2011-2544 (CSCtq46488)
2. CVE-2011-2543 (CSCtq46496)
3. CVE-2011-2577 (CSCtq46500)
Cisco TelePresence is an umbrella term for Video Conferencing Hardware
and Software, Infrastructure and Endpoints. The C & MXP Series are the
Endpoints used on desks or in boardrooms to provide users with a
termination point for Video Conferencing.
1. Post-authentication HTML Injection - CVE-2011-2544 (CSCtq46488):
Cisco TelePresence Endpoints have a web interface (HTTP or HTTPS) for
managing, configuring and reporting. It is possible to set the Call ID
(with H.323 or SIP) to a HTML value. If a call is made to another
endpoint and an authenticated user browses to the web interface on the
endpoint receiving the call (e.g. to view call statistics), the
HTML will render locally within the context of the logged in user. From
this point it is possible to make changes to the system as the
authenticated user. The flaw is due to the flexibility of the H.323 ID
or SIP Display Name fields and failure to correctly validate user input.
Rebooting the system: <IMG SRC="/reboot&Yes=please">
The attacker may also choose to change passwords in the system, disable
encryption or enable telnet:
2. Post-authentication Memory Corruption - CVE-2011-2543 (CSCtq46496):
Cisco TelePresence systems (Endpoints and Infrastructure) use XPath for
setting and getting configuration.
Example syntax is:
The request is sent to a locally listening shell (tshell). This is the
case for all requests relating to performing an action on the system(e.g.
config get or set). The shell then sends the input to the "main"
application(/app/main, id=0), and the data is passed as a parameter.
It was discovered that the getXML handle does not properly perform
length checking on the user supplied input before passing it to the
tshell. Furthermore, there is no length checking performed in the tshell
and no bounds checking performed in the main application where the
parameter is consumed. As such, it is possible to send input that
exceeds the size of the receiving buffer, subsequently causing an
invalid address to be read. This causes a reboot on the Endpoints. The
VCS will not reboot, the process will crash by SIGSEGV (or sigabrt) but
it will restart the process itself which drops all calls.
Proof of Concept: GET
Received signal SIGSEGV (11) in thread 0x129e8480, TID 2670
Illegal memory access at: 0x5858585c
GPR00: 00f2c908 129e5960 129ef920 00000005 00000040 0000000c 00000037
GPR08: 00000005 129e5a70 129e5a80 58585858 0f3272d4 11589858 129e6896
GPR16: 129e6084 11164a1c 00000000 129e6894 00000037 1299ca18 00000005
GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac
GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac
NIP: 0f39abc8 MSR: 0000d032 OGPR3: 00000002
As you can see, the crash string is passed as a parameter in GPR 8.
The severity of this issue is compounded by the fact that the main
application runs as root, this could potentially lead to arbitrary code
3. Pre-authentication SIP Denial of Service - CVE-2011-2577 (CSCtq46500):
Cisco TelePresence Endpoints utilise SIP for the call setup protocol.
Sending a SIP INVITE with a 4x8 a"s in the MAC Address field and the
receive field causes the system to reboot.
Proof of Concept: MXP:
Exception 0x1100 : Data TLB load miss Active task
FsmMain FSM process : SipTrnsp(0) FSM message : SipTrnsp_Send_Msg_Req
from SipTrnsp(0) Data TLB miss (DMISS) : 0x00000000 (illegal addr.
Upgrade to TC4.2 for the C series to fix validation issues.
David Klein, Sense of Security Labs.
Sense of Security is a leading provider of information
security and risk management solutions. Our team has expert
skills in assessment and assurance, strategy and architecture,
and deployment through to ongoing management. We are
Australia's premier application penetration testing firm and
trusted IT security advisor to many of the countries largest
Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
The latest version of this advisory can be found at:
Other Sense of Security advisories can be found at:
Go to the Top of This SecurityTracker Archive Page