Release Date: 19-Sep-2011

Last Update: –

Vendor Notification Date: 21-Feb-2011

Product: Cisco TelePresence Series

Platform: Cisco

Affected versions: C <= TC4.1.2, MXP <= F9.1

Severity Rating: Low – Medium

Impact: Cookie/credential theft, impersonation, loss of confidentiality, client-side code execution, denial of service.

Solution Status: Vendor patch

CVE reference: CVE-2011-2544 (CSCtq46488)
CVE-2011-2543 (CSCtq46496)
CVE-2011-2577 (CSCtq46500)

Details

Cisco TelePresence is an umbrella term for Video Conferencing Hardware and Software, Infrastructure and Endpoints. The C & MXP Series are the Endpoints used on desks or in boardrooms to provide users with a termination point for Video Conferencing.

Please refer to the PDF version of this advisory for proof of concept code examples.

Solution

Upgrade to TC4.2 for the C series to fix validation issues.

Discovered By

David Klein from Sense of Security Labs.