The original article can be found at: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6e152.shtml
* Cisco TelePresence software prior to 1.7.1
* Cisco TelePresence software 1.7.1
This advisory addresses Cisco TelePresence endpoint devices and details the following vulnerabilities:
* Unauthenticated Common Gateway Interface (CGI) Access
* CGI Command Injection
* TFTP Information Disclosure
* Malicious IP Address Injection
* XML-Remote Procedure Call (RPC) Command Injection
* Cisco Discovery Protocol Remote Code Execution
CGI Command Injection
Multiple CGI command injection vulnerabilities exist in Cisco TelePresence endpoint devices that could allow a remote, authenticated attacker to execute arbitrary commands with elevated privileges. To exploit these vulnerabilities, an attacker must submit a malformed request to an affected device via TCP port 443.
An attacker must perform a three-way TCP handshake and establish a valid session to exploit these vulnerabilities.
TFTP Information Disclosure
An information disclosure vulnerability exists within Cisco TelePresence endpoint devices that could allow an unauthenticated, remote attacker to retrieve sensitive authentication and configuration information. The attacker would need to have the ability to submit a TFTP GET request via UDP port 69 to the affected device.
Because the vulnerability is within a UDP based service, the attacker would not be required to perform a handshake prior to making the crafted request. However, due to the fact that this is an information disclosure issue the attacker would need to supply a valid return IP address to retrieve the information.
Malicious IP Address Injection
A denial of service vulnerability exists within Cisco TelePresence endpoint devices that could allow a remote, unauthenticated attacker to cause a denial of service condition. An attacker with the ability to impersonate a Cisco TelePresence Manager system could remotely inject an invalid IP address into a configuration file that could cause a critical service on the device to crash. An endpoint affected by this issue will remain unusable until it has been manually restored to a known good state. Restoration of service may require an administrator to reload software on the affected device. The attacker would need the ability to submit a malformed SOAP request to an affected device via TCP port 8081 or TCP port 9501.
An attacker must perform a three-way TCP handshake and establish a valid session to exploit this vulnerability.
XML-RPC Command Injection
An XML-RPC command injection vulnerability exists with Cisco TelePresence endpoint devices. This issue could allow an unauthenticated attacker with access to the broadcast domain of the affected device to execute arbitrary commands with elevated privileges. The attacker would need the ability to submit a request to an affected system via TCP port 61441 or TCP port 61445.
An attacker must perform a three-way TCP handshake and establish a valid session to exploit this vulnerability. The issue may require that the attacker perform an ARP spoofing or other form of impersonation attack.
Cisco Discovery Protocol Remote Code Execution
A remote code execution vulnerability exists in Cisco TelePresence endpoint devices. This vulnerability could allow an unauthenticated, adjacent attacker to trigger a buffer overflow condition. To exploit this vulnerability, the attacker must submit a malicious Cisco Discovery Protocol packet to an affected system.
Because Cisco Discovery Protocol functions at the Data-Link (L2) layer, an attacker must submit an Ethernet frame directly to an affected device. This scenario may be possible when affected systems are part of a bridged network or connected to a nonpartitioned device such as a network hub.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
Revision 1.0 2011-February-23 Intial public release.