Cisco TelePresence Server Denial of Service Vulnerability
2015-09-16T16:00:00
ID CISCO-SA-20150916-TPS Type cisco Reporter Cisco Modified 2015-09-16T14:23:05
Description
A vulnerability in the Conference Control Protocol API of Cisco TelePresence Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is likely to result in only a DoS condition due to input sanitization performed on the user-supplied data before it is copied into the affected buffer. An attacker could exploit this vulnerability by providing a crafted URL that is designed to trigger the overflow condition.
Cisco TelePresence Server contains a buffer overflow vulnerability in the Conference Control Protocol API that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
Cisco has released software updates that address this vulnerability. No workarounds that mitigate this vulnerability are available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150916-tps ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150916-tps"]
{"id": "CISCO-SA-20150916-TPS", "type": "cisco", "bulletinFamily": "software", "title": "Cisco TelePresence Server Denial of Service Vulnerability", "description": "A vulnerability in the Conference Control Protocol API of Cisco TelePresence Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is likely to result in only a DoS condition due to input sanitization performed on the user-supplied data before it is copied into the affected buffer. An attacker could exploit this vulnerability by providing a crafted URL that is designed to trigger the overflow condition.\n\nCisco TelePresence Server contains a buffer overflow vulnerability in the Conference Control Protocol API that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nCisco has released software updates that address this vulnerability. No workarounds that mitigate this vulnerability are available.\n\nThis advisory is available at the following link:\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150916-tps [\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150916-tps\"]", "published": "2015-09-16T16:00:00", "modified": "2015-09-16T14:23:05", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150916-tps", "reporter": "Cisco", "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150916-tps"], "cvelist": ["CVE-2015-6284"], "lastseen": "2018-04-07T12:12:13", "history": [{"bulletin": {"id": "CISCO-SA-20150916-TPS", "type": "cisco", "bulletinFamily": "software", "title": "Cisco TelePresence Server Denial of Service Vulnerability", "description": "A vulnerability in the Conference Control Protocol API of Cisco TelePresence Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is likely to result in only a DoS condition due to input sanitization performed on the user-supplied data before it is copied into the affected buffer. An attacker could exploit this vulnerability by providing a crafted URL that is designed to trigger the overflow condition.\n\nCisco TelePresence Server contains a buffer overflow vulnerability in the Conference Control Protocol API that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nCisco has released software updates that address this vulnerability. No workarounds that mitigate this vulnerability are available.\n\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150916-tps[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150916-tps\"]", "published": "2015-09-16T16:00:00", "modified": "2015-09-16T14:23:05", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150916-tps", "reporter": "Cisco", "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150916-tps"], "cvelist": ["CVE-2015-6284"], "lastseen": "2017-09-26T15:33:39", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N/", "modified": "2017-09-26T15:33:39"}}, "objectVersion": "1.4", "affectedSoftware": [{"name": "Cisco TelePresence Server Software", "version": "any", "operator": "eq"}]}, "lastseen": "2017-09-26T15:33:39", "differentElements": ["description"], "edition": 1}], "viewCount": 0, "enchantments": {"vulnersScore": 5.0}, "objectVersion": "1.4", "affectedSoftware": [{"name": "Cisco TelePresence Server Software", "version": "any", "operator": "eq"}], "_object_type": "robots.models.cisco.CiscoBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.cisco.CiscoBulletin"]}
{"result": {"cve": [{"id": "CVE-2015-6284", "type": "cve", "title": "CVE-2015-6284", "description": "Buffer overflow in the Conference Control Protocol API implementation in Cisco TelePresence Server software before 4.1(2.33) on 7010, MSE 8710, Multiparty Media 310 and 320, and Virtual Machine devices allows remote attackers to cause a denial of service (device crash) via a crafted URL, aka Bug ID CSCuu28277.", "published": "2015-09-20T10:59:02", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6284", "cvelist": ["CVE-2015-6284"], "lastseen": "2017-04-18T15:57:54"}], "openvas": [{"id": "OPENVAS:1361412562310105378", "type": "openvas", "title": "Cisco TelePresence Server Denial of Service Vulnerability ", "description": "Cisco TelePresence Server contains a buffer overflow vulnerability in the Conference Control Protocol API that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.", "published": "2015-09-21T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105378", "cvelist": ["CVE-2015-6284"], "lastseen": "2018-04-12T11:44:16"}], "nessus": [{"id": "CISCO_TELEPRESENCE_SERVER_SA_20150916_TPS.NASL", "type": "nessus", "title": "Cisco TelePresence Server Conference Control Protocol API URL Handling DoS (cisco-sa-20150916-tps)", "description": "According to the self-reported version, the Cisco TelePresence Server running on the remote host is affected by a buffer overflow condition in the Conference Control Protocol API due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a crafted URL, to cause a denial of service.", "published": "2015-09-24T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86123", "cvelist": ["CVE-2015-6284"], "lastseen": "2017-10-29T13:35:36"}]}}