CiscoCISCO-SA-20140522-CVE-2014-3274Cisco TelePresence System Directory Information Disclosure Vulnerability
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
EPSS
Percentile
30.7%
A vulnerability in the code retrieving directory information of Cisco TelePresence System (CTS) could allow an unauthenticated, remote attacker to intercept and read the content of a directory transferred between the CTS and the Cisco Unified Communications Manager (Cisco UCM).
The vulnerability is due to a failure to enforce HTTPS for transferring directory content. An attacker could exploit this vulnerability by blocking the connection over HTTPS between the CTS and Cisco UCM. Because of this vulnerability, the CTS will try to connect to the Cisco UCM via HTTP, which could allow Directory information to be gathered by observing the communication between the CTS and Cisco UCM.
Cisco has confirmed the vulnerability in a security notice and released software updates.
To exploit this vulnerability, it is likely that an attacker may need access to trusted, internal networks in which a targeted device and the Cisco UCM reside to attempt to block the connection over HTTPS between the two devices. This access requirement would likely reduce the likelihood of a success exploit.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| cisco | telepresence_system_software | any | cpe:2.3:a:cisco:telepresence_system_software:any:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
EPSS
Percentile
30.7%