Cisco patches TelePresence control unit flaw
Cisco issues another patch for a security issue with a conferencing system
Cisco has patched a flaw in its TelePresence system that could allow hackers to run code or cause a denial-of-service attack.
The flaw in Cisco TelePrescence Multipoint Control Units has already been addressed via a patch, so admins should ensure software is up to date.
"The vulnerability is due to improper size validation when reassembling fragmented IPv4 or IPv6 packets," Cisco said in an alert. "An attacker could exploit this vulnerability by sending crafted IPv4 or IPv6 fragments to a port receiving content in Passthrough content mode. An exploit could allow the attacker to overflow a buffer. If successful, the attacker could execute arbitrary code or cause a DoS condition on the affected system."
The company said the 5300 Series, MSE 8510, and MCU 4500 models were at risk, but not the 4200 Series or the MSE 8420. However, Cisco isn't patching the MCU 4500, saying it passed the end of maintenence milestone in July of last year.
If users need to delay installing the patch or are using the MCU 4500, there is one mitigation: configure the MCU software to use transcoded content instead of passthrough content. That mode was only introduced in version 4.3 of the software, so older versions are not affected.
Cisco stressed that its security incident response team hasn't yet seen any attacks using the vulnerability, with the flaw spotted "during the resolution of a support case".
The patch follows a critical flaw in Cisco's WebEx Chrome plugin, which could have allowed hackers to execute code remotely on the machines of the tens of millions of businesses that use the web-based conferecing system. Cisco patched the system last week.