Cisco Cisco TelePresence Video Communication Server Expressway 릴리즈 노트
Resolved caveats
Cisco TelePresence Video Communication Server X7.0.3 Software Release Notes
Page 13 of 31
Resolved in X7.0
Security-related issues
Internal
reference
reference
Identifier
Summary
53663
CSCtr80182
DNS cache poisoning attacks CVE-2008-1447: previous releases of Cisco
VCS were vulnerable to CVE-2008-1447. Version X7.0 has been upgraded
to use dnsmasq 2.57 which has resolved the issue.
VCS were vulnerable to CVE-2008-1447. Version X7.0 has been upgraded
to use dnsmasq 2.57 which has resolved the issue.
85524
CSCtr80196
OpenSSL Ciphersuite Downgrade Attack CVE-2010-4180 and Openssl
clienthello vulnerability CVE-2011-0014: previous releases of Cisco VCS
were vulnerable to CVE-2010-4180 and CVE-2011-0014. Version X7.0 has
been upgraded to use openssl 1.0.0d, which has resolved the issue.
clienthello vulnerability CVE-2011-0014: previous releases of Cisco VCS
were vulnerable to CVE-2010-4180 and CVE-2011-0014. Version X7.0 has
been upgraded to use openssl 1.0.0d, which has resolved the issue.
86485
CSCtr32396
VCS Command Injection Vulnerability
Symptoms: administrator entered values within the administrative interfaces
of the Cisco VCS may not be properly sanitized. This could allow a malicious
administrator to cause arbitrary commands to be executed on the underlying
system.
Conditions: a device is running an affected version of Cisco VCS.
Workaround: restrict access to the administrative interfaces to trusted users
only.
Further Problem Description: while this issue may allow an authenticated,
remote attacker to cause arbitrary commands to be executed. Any
successful command execution is performed under the restricted 'nobody'
account, restricting the direct impact of this issue.
Malicious values that are entered via the command line interface may not be
immediately executed, and instead the malicious actions may be performed
the next time an administrator accesses a page containing the malicious
value via the administrative web interface.
PSIRT Evaluation: the Cisco PSIRT has assigned this bug the following
CVSS version 2 score. The Base and Temporal CVSS scores as of the time
of evaluation are 6.5/5.4:
Symptoms: administrator entered values within the administrative interfaces
of the Cisco VCS may not be properly sanitized. This could allow a malicious
administrator to cause arbitrary commands to be executed on the underlying
system.
Conditions: a device is running an affected version of Cisco VCS.
Workaround: restrict access to the administrative interfaces to trusted users
only.
Further Problem Description: while this issue may allow an authenticated,
remote attacker to cause arbitrary commands to be executed. Any
successful command execution is performed under the restricted 'nobody'
account, restricting the direct impact of this issue.
Malicious values that are entered via the command line interface may not be
immediately executed, and instead the malicious actions may be performed
the next time an administrator accesses a page containing the malicious
value via the administrative web interface.
PSIRT Evaluation: the Cisco PSIRT has assigned this bug the following
CVSS version 2 score. The Base and Temporal CVSS scores as of the time
of evaluation are 6.5/5.4:
CVE ID CVE-2011-2538 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at
the following URL:
Additional information on Cisco's security vulnerability policy can be found at
the following URL:
86676
CSCtr80205
PHP vulnerabilities CVE-2010-4697 and CVE-2006-7243: previous
releases of Cisco VCS were vulnerable to CVE-2010-4697 and CVE-2006-
7243. Version X7.0 has been upgraded to use php 5.3.5 which has resolved
the issue.
releases of Cisco VCS were vulnerable to CVE-2010-4697 and CVE-2006-
7243. Version X7.0 has been upgraded to use php 5.3.5 which has resolved
the issue.
86985 /
119916
119916
CSCts82540
CSCts80342
CSCts80342
A vulnerability exists in Cisco TelePresence Video Communication Server
(VCS) due to improper validation of user-controlled input to the web-based
administrative interface. User-controlled input supplied to the login page via
the HTTP User-Agent header is not properly sanitized for illegal or malicious
content prior to being returned to the user in dynamically generated web
content. A remote attacker could exploit this vulnerability to perform reflected
cross-site scripting (XSS) attacks.
Billy Hoffman from Zoompf, Inc. discovered this vulnerability and Ben
Feinstein from Dell SecureWorks reported it to Cisco. Cisco greatly
appreciates the opportunity to work with researchers on security
vulnerabilities and welcome the opportunity to review and assist in product
reports.
Cisco TelePresence Video Communication Server Software versions earlier
than X7.0 are affected. This vulnerability has been corrected in Cisco
TelePresence Video Communication Server Software version X7.0.
The Cisco Security Response has been published at:
(VCS) due to improper validation of user-controlled input to the web-based
administrative interface. User-controlled input supplied to the login page via
the HTTP User-Agent header is not properly sanitized for illegal or malicious
content prior to being returned to the user in dynamically generated web
content. A remote attacker could exploit this vulnerability to perform reflected
cross-site scripting (XSS) attacks.
Billy Hoffman from Zoompf, Inc. discovered this vulnerability and Ben
Feinstein from Dell SecureWorks reported it to Cisco. Cisco greatly
appreciates the opportunity to work with researchers on security
vulnerabilities and welcome the opportunity to review and assist in product
reports.
Cisco TelePresence Video Communication Server Software versions earlier
than X7.0 are affected. This vulnerability has been corrected in Cisco
TelePresence Video Communication Server Software version X7.0.
The Cisco Security Response has been published at: