Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Patches Serious Flaws in Collaboration Products

Cisco has released software updates that patch critical and high severity vulnerabilities in its TelePresence and Expressway collaboration products.

Cisco has released software updates that patch critical and high severity vulnerabilities in its TelePresence and Expressway collaboration products.

The most severe of them is a critical remote code execution vulnerability affecting the device driver in the kernel of Cisco TelePresence Multipoint Control Unit (MCU). The flaw can be exploited by a remote, unauthenticated attacker to trigger a buffer overflow and execute arbitrary code or cause a denial-of-service (DoS) condition.

The security hole, tracked as CVE-2017-3792, affects TelePresence MCU 5300 Series, MCU MSE 8510 and MCU 4500 when running version 4.3(1.68) or later of the software – versions prior to 4.3(1.68) are not impacted. Affected users have been advised to update to version 4.5(1.89).

Cisco TelePresence, specifically the Video Communications Server (VCS) software, is also affected by a DoS vulnerability that can be exploited remotely without authentication. The same issue also affects the Expressway Series collaboration gateway.

The flaw exists in all versions of the Cisco Expressway Series and TelePresence VCS software prior to X8.8.2.

A separate advisory published by Cisco this week describes a high severity DoS vulnerability affecting the ASA CX Context-Aware Security module. An attacker can exploit the flaw to cause the module to no longer process traffic. Patches have yet to be released and there are no workarounds, but Cisco has provided some recommendations for limiting exposure.

These weaknesses have been found during the resolution of support cases and Cisco is not aware of any exploits in the wild.

Still no complete patch for critical WebEx flaw

A few days ago, Google Project Zero researcher Tavis Ormandy disclosed a critical remote code execution vulnerability affecting the Cisco WebEx browser extensions for Chrome, Firefox and Internet Explorer. The expert made the details of the flaw public after the networking giant informed him that the issue had been patched, but it later turned out that the fix was incomplete.

Cisco has confirmed that version 1.0.5 of the add-on does not fully address the problem found by Ormandy. The company is currently working on a proper patch.

The vulnerability allows an attacker to execute arbitrary code on WebEx users’ systems simply by getting them to access a specially crafted website. According to Cisco, the flaw is caused by a “design defect in an application programing interface (API) response parser within the plugin.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.