Cisco Cisco TelePresence Video Communication Server Expressway 릴리즈 노트
Resolved caveats
Cisco TelePresence Video Communication Server X7.0.1 Software Release Notes
Page 11 of 29
Resolved caveats
The following issues were found in previous releases and were resolved in X7.n.
Resolved in X7.0.1
Internal
reference
reference
Identifier
Summary
120030
CSCts87885
DNS lookup problems
that make VCS appear to have a hardware fault:
for a Cisco VCS Expressway running X7.0 with DNS zones configured (e.g.
for business to business calling), it has been observed when there are DNS
lookup issues that the VCS may get into a hung state. When the DNS lookup
problem occurs the VCS does not respond to Web, SSH, Telnet or Serial
access. This issue has now been resolved.
for business to business calling), it has been observed when there are DNS
lookup issues that the VCS may get into a hung state. When the DNS lookup
problem occurs the VCS does not respond to Web, SSH, Telnet or Serial
access. This issue has now been resolved.
Resolved in X7.0
Security-related issues
Internal
reference
reference
Identifier
Summary
53663
CSCtr80182
DNS cache poisoning attacks CVE-2008-1447: previous releases of Cisco
VCS were vulnerable to CVE-2008-1447. Version X7.0 has been upgraded
to use dnsmasq 2.57 which has resolved the issue.
VCS were vulnerable to CVE-2008-1447. Version X7.0 has been upgraded
to use dnsmasq 2.57 which has resolved the issue.
85524
CSCtr80196
OpenSSL Ciphersuite Downgrade Attack CVE-2010-4180 and Openssl
clienthello vulnerability CVE-2011-0014: previous releases of Cisco VCS
were vulnerable to CVE-2010-4180 and CVE-2011-0014. Version X7.0 has
been upgraded to use openssl 1.0.0d, which has resolved the issue.
clienthello vulnerability CVE-2011-0014: previous releases of Cisco VCS
were vulnerable to CVE-2010-4180 and CVE-2011-0014. Version X7.0 has
been upgraded to use openssl 1.0.0d, which has resolved the issue.
86485
CSCtr32396
VCS Command Injection Vulnerability
Symptoms:
Symptoms:
Administrator entered values within the administrative interfaces of the Cisco
VCS may not be properly sanitized. This could allow a malicious
administrator to cause arbitrary commands to be executed on the underlying
system.
Conditions:
VCS may not be properly sanitized. This could allow a malicious
administrator to cause arbitrary commands to be executed on the underlying
system.
Conditions:
A device is running an affected version of Cisco VCS.
Workaround:
Workaround:
Restrict access to the administrative interfaces to trusted users only.
Further Problem Description:
Further Problem Description:
While this issue may allow an authenticated, remote attacker to cause
arbitrary commands to be executed. Any successful command execution is
performed under the restricted 'nobody' account, restricting the direct impact
of this issue.
Malicious values that are entered via the command line interface may not be
immediately executed, and instead the malicious actions may be performed
the next time an administrator accesses a page containing the malicious
value via the administrative web interface.
PSIRT Evaluation:
arbitrary commands to be executed. Any successful command execution is
performed under the restricted 'nobody' account, restricting the direct impact
of this issue.
Malicious values that are entered via the command line interface may not be
immediately executed, and instead the malicious actions may be performed
the next time an administrator accesses a page containing the malicious
value via the administrative web interface.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score.
The Base and Temporal CVSS scores as of the time of evaluation are
6.5/5.4:
The Base and Temporal CVSS scores as of the time of evaluation are
6.5/5.4: