Cisco patches TelePresence control unit flaw

Cisco issues another patch for a security issue with a conferencing system

Cisco has patched a flaw in its TelePresence system that could allow hackers to run code or cause a denial-of-service attack. 

The flaw in Cisco TelePrescence Multipoint Control Units has already been addressed via a patch, so admins should ensure software is up to date. 

"The vulnerability is due to improper size validation when reassembling fragmented IPv4 or IPv6 packets," Cisco said in an alert. "An attacker could exploit this vulnerability by sending crafted IPv4 or IPv6 fragments to a port receiving content in Passthrough content mode. An exploit could allow the attacker to overflow a buffer. If successful, the attacker could execute arbitrary code or cause a DoS condition on the affected system."

Advertisement - Article continues below

The company said the 5300 Series, MSE 8510, and MCU 4500 models were at risk, but not the 4200 Series or the MSE 8420. However, Cisco isn't patching the MCU 4500, saying it passed the end of maintenence milestone in July of last year.

If users need to delay installing the patch or are using the MCU 4500, there is one mitigation: configure the MCU software to use transcoded content instead of passthrough content. That mode was only introduced in version 4.3 of the software, so older versions are not affected. 

Advertisement
Advertisement - Article continues below

Cisco stressed that its security incident response team hasn't yet seen any attacks using the vulnerability, with the flaw spotted "during the resolution of a support case". 

The patch follows a critical flaw in Cisco's WebEx Chrome plugin, which could have allowed hackers to execute code remotely on the machines of the tens of millions of businesses that use the web-based conferecing system. Cisco patched the system last week.

Advertisement

Recommended

Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
Visit/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

Visit/security/privacy/355211/google-releases-location-data-to-showcase-effectiveness-of-coronavirus
privacy

Google releases location data to show effectiveness of coronavirus lockdowns

3 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

2 Apr 2020