Cisco TelePresence Video Communication Server SDP Over SIP Denial of Service Vulnerability

2015-06-09T18:34:07
ID CISCO-SA-20150609-CVE-2015-0772
Type cisco
Reporter Cisco
Modified 2015-06-09T14:09:58

Description

A vulnerability in the Session Description Protocol (SDP) parser of the Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to cause the Cisco VCS device to become unreachable due to a denial of service (DoS) attack caused by high CPU utilization.

The vulnerability is due to a parsing error in the SDP parameter negotiation request. An attacker could exploit this vulnerability by initiating an SDP session over a Session Initiation Protocol (SIP) connection to the Cisco VCS device and sending a crafted SDP parameter negotiation request. A successful exploit could allow the attacker to take the VCS device offline due to high CPU utilization, resulting in a DoS condition.

Cisco has confirmed the vulnerability; however, software updates are not available.

To exploit this vulnerability, an attacker would need to send a crafted SDP parameter negotiation request to the targeted device. Depending on where the targeted system resides in an environment, an attacker may need to bypass firewall restrictions or other protection measures, which may reduce the likelihood of a successful exploit.