SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (Multimedia)  >   Cisco TelePresence Vendors:   Cisco
Cisco TelePresence Recording Server Bugs Let Remote Users Execute Arbitrary Code and Deny Service
SecurityTracker Alert ID:  1027244
SecurityTracker URL:  http://securitytracker.com/id/1027244
CVE Reference:   CVE-2012-2486, CVE-2012-3073, CVE-2012-3076   (Links to External Site)
Date:  Jul 12 2012
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.8.1
Description:   Several vulnerabilities were reported in Cisco TelePresence Recording Server. A remote user or remote authenticated can execute arbitrary code on the target system. A remote user can cause denial of service conditions.

A remote user on the adjacent network can send specially crafted Cisco Discovery Protocol packets to execute arbitrary code on the target system with elevated privileges [CVE-2012-2486].

Cisco has assigned Cisco bug ID CSCtz40953 to this vulnerability.

A remote user can send a sequence of specially crafted IP packets and TCP connection requests or terminations at a high rate to prevent the target device from responding to new connection requests [CVE-2012-3073]. Some services and processes may crash.

Cisco has assigned Cisco bug ID CSCti21830 to this vulnerability.

A remote authenticated user can send specially crafted requests to the administrative web interface to execute arbitrary commands with elevated privileges [CVE-2012-3076].

Cisco has assigned Cisco bug ID CSCth85804 to this vulnerability.
Impact:   A remote user can execute arbitrary code on the target system.

A remote authenticated user can execute arbitrary commands on the target system.

A remote user can cause denial of service conditions.
Solution:   The vendor has issued a fix (1.8.1).

The vendor's advisory is available at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-ctrs
Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-ctrs (Links to External Site)
Cause:   Not specified
Underlying OS:  

Message History:   None.

 Source Message Contents
Date:  Wed, 11 Jul 2012 12:09:51 -0400
Subject:  Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Recording Server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Multiple Vulnerabilities in Cisco TelePresence Recording Server

Advisory ID: cisco-sa-20120711-ctrs

Revision 1.0

For Public Release 2012 July 11 16:00  UTC (GMT)
+---------------------------------------------------------------------

Summary
=======

Cisco TelePresence Recording Server contains the following vulnerabilities:

 Cisco TelePresence Malformed IP Packets Denial of Service Vulnerability
 Cisco TelePresence Web Interface Command Injection
 Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability

Exploitation of the Cisco TelePresence Malformed IP Packets Denial of
Service Vulnerability may allow a remote, unauthenticated attacker to
create a denial of service condition, preventing the product from
responding to new connection requests and potentially causing some
services and processes to crash.

Exploitation of the Cisco TelePresence Web Interface Command Injection
may allow an authenticated, remote attacker to execute arbitrary
commands on the underlying operating system with elevated privileges.

Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote
Code Execution Vulnerability may allow allow an unauthenticated,
adjacent attacker to execute arbitrary code with elevated privileges.

Cisco has released updated software that resolves the command and code
execution vulnerabilities.  There are currently no plans to resolve
the malformed IP packets denial of service vulnerability, as this
product is no longer being actively supported.

There are no workarounds that mitigate these vulnerabilities.

Customers should contact their Cisco Sales Representative to determine
the Business Unit responsible for their Cisco TelePresence Recording
Server.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-ctrs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iF4EAREIAAYFAk/9izAACgkQUddfH3/BbTpgpwD/TQOz5H0BG4ogU7mv8ZnqT69E
bgkxiXeO+2F8ogOPR/gA/iVsXNVK3OOeTYTZx5VCTqjGdtn/QRPNjUFyv5vu/OOH
=wEHe
-----END PGP SIGNATURE-----
_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC