PT-2015-1313 · Cisco · Cisco Telepresence Video Communication Server+2

Andrey Medov

·

Published

2015-03-12

·

Updated

2019-06-11

·

CVE-2015-0653

CVSS v2.0

10

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Cisco TelePresence Video Communication Server (VCS) versions prior to X7.2.4 Cisco TelePresence Video Communication Server (VCS) versions X8 prior to X8.1.2 Cisco TelePresence Video Communication Server (VCS) versions X8.2 prior to X8.2.2 Cisco Expressway versions prior to X7.2.4 Cisco Expressway versions X8 prior to X8.1.2 Cisco Expressway versions X8.2 prior to X8.2.2 Cisco TelePresence Conductor versions prior to X2.3.1 Cisco TelePresence Conductor versions XC2.4 prior to XC2.4.1
Description The management interface in the affected software allows remote attackers to bypass authentication via crafted login parameters. This is due to deficiencies in the authentication procedure. An attacker can exploit this issue to gain access to the device using a specially formed username.
Recommendations For Cisco TelePresence Video Communication Server (VCS) versions prior to X7.2.4, update to version X7.2.4 or later. For Cisco TelePresence Video Communication Server (VCS) versions X8 prior to X8.1.2, update to version X8.1.2 or later. For Cisco TelePresence Video Communication Server (VCS) versions X8.2 prior to X8.2.2, update to version X8.2.2 or later. For Cisco Expressway versions prior to X7.2.4, update to version X7.2.4 or later. For Cisco Expressway versions X8 prior to X8.1.2, update to version X8.1.2 or later. For Cisco Expressway versions X8.2 prior to X8.2.2, update to version X8.2.2 or later. For Cisco TelePresence Conductor versions prior to X2.3.1, update to version X2.3.1 or later. For Cisco TelePresence Conductor versions XC2.4 prior to XC2.4.1, update to version XC2.4.1 or later.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

BDU:2015-10378
BDU:2015-10379
BDU:2015-10380
CVE-2015-0653

Affected Products

Cisco Expressway
Cisco Telepresence Conductor
Cisco Telepresence Video Communication Server