Security Experts:

Cisco Patches Serious Flaws in Collaboration Products

Cisco has released software updates that patch critical and high severity vulnerabilities in its TelePresence and Expressway collaboration products.

The most severe of them is a critical remote code execution vulnerability affecting the device driver in the kernel of Cisco TelePresence Multipoint Control Unit (MCU). The flaw can be exploited by a remote, unauthenticated attacker to trigger a buffer overflow and execute arbitrary code or cause a denial-of-service (DoS) condition.

The security hole, tracked as CVE-2017-3792, affects TelePresence MCU 5300 Series, MCU MSE 8510 and MCU 4500 when running version 4.3(1.68) or later of the software – versions prior to 4.3(1.68) are not impacted. Affected users have been advised to update to version 4.5(1.89).

Cisco TelePresence, specifically the Video Communications Server (VCS) software, is also affected by a DoS vulnerability that can be exploited remotely without authentication. The same issue also affects the Expressway Series collaboration gateway.

The flaw exists in all versions of the Cisco Expressway Series and TelePresence VCS software prior to X8.8.2.

A separate advisory published by Cisco this week describes a high severity DoS vulnerability affecting the ASA CX Context-Aware Security module. An attacker can exploit the flaw to cause the module to no longer process traffic. Patches have yet to be released and there are no workarounds, but Cisco has provided some recommendations for limiting exposure.

These weaknesses have been found during the resolution of support cases and Cisco is not aware of any exploits in the wild.

Still no complete patch for critical WebEx flaw

A few days ago, Google Project Zero researcher Tavis Ormandy disclosed a critical remote code execution vulnerability affecting the Cisco WebEx browser extensions for Chrome, Firefox and Internet Explorer. The expert made the details of the flaw public after the networking giant informed him that the issue had been patched, but it later turned out that the fix was incomplete.

Cisco has confirmed that version 1.0.5 of the add-on does not fully address the problem found by Ormandy. The company is currently working on a proper patch.

The vulnerability allows an attacker to execute arbitrary code on WebEx users’ systems simply by getting them to access a specially crafted website. According to Cisco, the flaw is caused by a “design defect in an application programing interface (API) response parser within the plugin.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.