Cisco TelePresence kit and software need patching after the company turned up vulnerabilities that open them up to remote command injection and denial of service attacks.
TelePresence TC and TE software has two vulnerabilities: an authentication bypass that gives attackers root access to devices running the software, while the DoS attack means crafted packets could trigger a restart of the affected systems.
The affected products include Cisco TelePresence MX Series, System EX Series, Integrator C Series, Profiles Series, Quick Set Series, System T Series, and the VX Clinical Assistant. The TE software is only vulnerable on System EX Series units.
All systems except the end-of-life System T series have been patched; System T owners will have to upgrade.
In a separate advisory, Cisco also warns that a bug in the Web framework “could allow an authenticated, remote attacker to inject arbitrary commands that are executed with the privileges of the root user”.
It's an input validation bug, the Borg notes, allowing an attacker to authenticate to the device and submit crafted input.
The bug affects various TelePresence media gateway devices (wow, there's still an ISDN gateway and a serial gateway on the books), the MCU and MCU MSE conference bridge software, and both the hardware and virtual machine versions of the TelePresence server software. ®