SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (Multimedia)  >   Cisco TelePresence Vendors:   Cisco
Cisco TelePresence System Software Input Validation Flaw in SSCD Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1029656
SecurityTracker URL:  http://securitytracker.com/id/1029656
CVE Reference:   CVE-2014-0661   (Links to External Site)
Date:  Jan 22 2014
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Cisco TelePresence System Software. A remote user can execute arbitrary code on the target system.

A remote user on the adjacent network can send specially crafted XML-RPC data to trigger a stack corruption flaw in the System Status Collection Daemon (SSCD) and execute arbitrary code on the target system. The code will run with root privileges.

The vendor has assigned bug ID CSCui32796 to this vulnerability.

The following hardware products are affected:

Cisco TelePresence System 500-32
Cisco TelePresence System 500-37
Cisco TelePresence System 1000
Cisco TelePresence System 1100
Cisco TelePresence System 1300-65
Cisco TelePresence System 3000
Cisco TelePresence System 3010
Cisco TelePresence System 3200
Cisco TelePresence System 3210
Cisco TelePresence System TX1300 47 (Also Known As the TX1300-47)
Cisco TelePresence System TX1310 65
Cisco TelePresence System TX9000
Cisco TelePresence System TX9200

Impact:   A remote user on the adjacent network can execute arbitrary code on the target system with root privileges.
Solution:   The vendor has issued a fix.

Cisco TelePresence System 500-32: 6.0.4(11)
Cisco TelePresence System 500-37: 1.10.2(42)
Cisco TelePresence System 1000: 1.10.2(42)
Cisco TelePresence System 1300-65: 1.10.2(42)
Cisco TelePresence System 3000: 1.10.2(42)
Cisco TelePresence System 3010: 1.10.2(42)
Cisco TelePresence System 3200: 1.10.2(42)
Cisco TelePresence System 3210: 1.10.2(42)
Cisco TelePresence System 1300-47: 6.0.4(11)
Cisco TelePresence System TX1310 65: 6.0.4(11)
Cisco TelePresence System TX9000: 6.0.4(11)
Cisco TelePresence System TX9200: 6.0.4(11)

The vendor's advisory is available at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140122-cts

Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140122-cts (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Wed, 22 Jan 2014 11:01:21 -0500
Subject:  Cisco Security Advisory: Cisco TelePresence System Software Command Execution Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco Security Advisory: Cisco TelePresence System Software Command Execution Vulnerability

Advisory ID: cisco-sa-20140122-cts

Revision 1.0

For Public Release 2014 January 22 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco TelePresence System Software contains a vulnerability in the System Status Collection Daemon (SSCD) code that could allow an unauthenticated, adjacent attacker to execute arbitrary commands with the privileges of the root user.

Cisco has released free software updates that address this vulnerability. No workarounds that mitigate this vulnerability are available. This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140122-cts

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)

iF4EAREKAAYFAlLftvIACgkQUddfH3/BbTrePQD9FSpmHbt1k2llXblHoEoQrOEd
1G5+AeNJnwMANjUfiSsA/RtJM/0hpPgxhq/FekwVXg4FLeNCpfB+UJqEjAhezWzy
=RUj5
-----END PGP SIGNATURE-----
_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC