ID CVE-2016-1387 Type cve Reporter cve@mitre.org Modified 2016-12-01T03:05:00
Description
The XML API in TelePresence Codec (TC) 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, and 7.3.5 and Collaboration Endpoint (CE) 8.0.0, 8.0.1, and 8.1.0 in Cisco TelePresence Software mishandles authentication, which allows remote attackers to execute control commands or make configuration changes via an API request, aka Bug ID CSCuz26935.
{"openvas": [{"lastseen": "2019-05-29T18:35:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1387"], "description": "Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software are vulnerable to a\n vulnerability in the XML application programming interface (API) which could allow an unauthenticated, remote\n attacker to bypass authentication and access a targeted system through the API", "modified": "2019-05-10T00:00:00", "published": "2016-05-13T00:00:00", "id": "OPENVAS:1361412562310107002", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107002", "type": "openvas", "title": "Cisco TelePresence XML Application Programming Interface Authentication Bypass Vulnerability ", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Cisco TelePresence TC and TE Software Multiple Security Vulnerabilities\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:telepresence_mcu_mse_series_software\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107002\");\n script_cve_id(\"CVE-2016-1387\");\n\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:C\");\n\n script_version(\"2019-05-10T14:24:23+0000\");\n\n script_name(\"Cisco TelePresence XML Application Programming Interface Authentication Bypass Vulnerability \");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-tpxml\");\n\n script_tag(name:\"last_modification\", value:\"2019-05-10 14:24:23 +0000 (Fri, 10 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-05-13 16:46:52 +0200 (Fri, 13 May 2016)\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n\n script_dependencies(\"gb_cisco_telepresence_detect_snmp.nasl\", \"gb_cisco_telepresence_detect_ftp.nasl\");\n script_mandatory_keys(\"cisco/telepresence/typ\", \"cisco/telepresence/version\");\n\n script_tag(name:\"impact\", value:\"A successful exploit could allow the attacker to perform unauthorized configuration changes\n or issue control commands to the affected system by using the API.\");\n\n script_tag(name:\"vuldetect\", value:\"The script detects the firmware version.\");\n\n script_tag(name:\"insight\", value:\"The vulnerability is due to improper implementation of authentication mechanisms for the XML\n API of the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the XML API.\");\n\n script_tag(name:\"solution\", value:\"Update to version 7.3.6, 8.1.1 or later.\");\n\n script_tag(name:\"summary\", value:\"Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software are vulnerable to a\n vulnerability in the XML application programming interface (API) which could allow an unauthenticated, remote\n attacker to bypass authentication and access a targeted system through the API\");\n\n script_tag(name:\"affected\", value:\"This vulnerability affects Cisco TelePresence Software releases TC 7.2.0, TC 7.2.1, TC 7.3.0,\n TC 7.3.1, TC 7.3.2, TC 7.3.3, TC 7.3.4, TC 7.3.5, CE 8.0.0, CE 8.0.1, and CE 8.1.0 running on the following Cisco products:\n\n - TelePresence EX Series\n\n - TelePresence Integrator C Series\n\n - TelePresence MX Series\n\n - TelePresence Profile Series\n\n - TelePresence SX Series\n\n - TelePresence SX Quick Set Series\n\n - TelePresence VX Clinical Assistant\n\n - TelePresence VX Tactical\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! vers = get_app_version(cpe:CPE) ) exit( 0 );\nif( ! typ = get_kb_item( \"cisco/telepresence/typ\" ) ) exit( 0 );\n\nif( typ !~ ' EX(6|9)0$' && typ !~ ' C(2|4|6|9)0$' &&\n typ !~ ' SX(1|2|8)0$' && typ !~ 'MX(2|3|7|8)00$' && typ !~ 'G2$'\n && typ !~ 'SpeakerTrack$' && typ !~ ' (42|52)/55$' && typ !~ ' (42|52)/55( Dual$)'\n && typ !~ ' (42|52)/55( C40$)') exit( 0 );\n\nversion = eregmatch(pattern: \"^T[CE]([^$]+$)\", string:vers, icase:TRUE);\n\nif( isnull( version[1] ) ) exit( 0 );\n\nverscat = version[0];\nvers = version[1];\n\nif (verscat =~ \"^ce.\")\n{\n if( vers =~ \"^8\\.0\\.[0|1]\" || vers =~ \"^8\\.1\\.0\\.\") fix = '8.1.1';\n}\nelse if (verscat =~ \"^tc.\")\n{\n if( vers =~ \"^7\\.2\\.[0|1]\" || vers =~ \"^7\\.3\\.[0-5]\") fix = '7.3.6';\n}\n\nif( ! fix ) exit( 0 );\n\nif( version_is_less( version:vers, test_version:fix ) )\n{\n report = 'Installed version: ' + vers + '\\nFixed version: ' + fix;\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:C"}}], "cisco": [{"lastseen": "2020-12-24T11:41:23", "bulletinFamily": "software", "cvelist": ["CVE-2016-1387"], "description": "A vulnerability in the XML application programming interface (API) of Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, remote attacker to bypass authentication and access a targeted system through the API.\n\nThe vulnerability is due to improper implementation of authentication mechanisms for the XML API of the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the XML API. A successful exploit could allow the attacker to perform unauthorized configuration changes or issue control commands to the affected system by using the API.\n\nCisco has released software updates that address this vulnerability. There is a workaround that addresses this vulnerability.\n\nThis advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-tpxml[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-tpxml\"]", "modified": "2016-05-04T13:31:23", "published": "2016-05-04T16:00:00", "id": "CISCO-SA-20160504-TPXML", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-tpxml", "type": "cisco", "title": "Cisco TelePresence XML Application Programming Interface Authentication Bypass Vulnerability", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:C"}}], "nessus": [{"lastseen": "2021-04-01T01:40:49", "description": "The remote host is running a version of Cisco TelePresence Codec (TC)\nthat is 7.2.x prior to 7.3.6 or a version of Cisco Collaboration\nEndpoint (CE) software that is 8.x prior 8.1.1. It is, therefore,\naffected by an authentication bypass vulnerability in the XML\napplication programming interface (API) of Cisco TC or Cisco CE due to\nimproper implementation of authentication mechanisms for the XML API.\nAn unauthenticated, remote attacker can exploit this, via a crafted\nHTTP request to the XML API, to bypass authentication and perform\nunauthorized configuration changes or issue control commands.", "edition": 29, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-13T00:00:00", "title": "Cisco TelePresence XML API HTTP Request Handling Authentication Bypass (cisco-sa-20160504-tpxml)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1387"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:cisco:telepresence_tc_software", "x-cpe:/a:cisco:telepresence_ce_software"], "id": "CISCO-SA-20160504-TPXML.NASL", "href": "https://www.tenable.com/plugins/nessus/91130", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91130);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/19\");\n\n script_cve_id(\"CVE-2016-1387\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCuz26935\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20160504-tpxml\");\n\n script_name(english:\"Cisco TelePresence XML API HTTP Request Handling Authentication Bypass (cisco-sa-20160504-tpxml)\");\n script_summary(english:\"Checks the software version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Cisco TelePresence Codec (TC)\nthat is 7.2.x prior to 7.3.6 or a version of Cisco Collaboration\nEndpoint (CE) software that is 8.x prior 8.1.1. It is, therefore,\naffected by an authentication bypass vulnerability in the XML\napplication programming interface (API) of Cisco TC or Cisco CE due to\nimproper implementation of authentication mechanisms for the XML API.\nAn unauthenticated, remote attacker can exploit this, via a crafted\nHTTP request to the XML API, to bypass authentication and perform\nunauthorized configuration changes or issue control commands.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-tpxml\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a4e80bb3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Cisco TelePresence Codec (TC) version 7.3.6 or Cisco\nCollaboration Endpoint (CE) version 8.1.1. Alternatively, apply the\nworkaround referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-1387\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/13\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:telepresence_tc_software\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:cisco:telepresence_ce_software\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_telepresence_mcu_detect.nasl\");\n script_require_keys(\"Cisco/TelePresence_MCU/Device\", \"Cisco/TelePresence_MCU/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"Cisco TelePresence TC/CE software\";\ndevice = get_kb_item_or_exit(\"Cisco/TelePresence_MCU/Device\");\nversion = get_kb_item_or_exit(\"Cisco/TelePresence_MCU/Version\");\nflag = FALSE;\n\n# Affected models:\n# TelePresence EX Series\n# TelePresence Integrator C Series\n# TelePresence MX Series\n# TelePresence Profile Series\n# TelePresence SX Series\n# TelePresence SX Quick Set Series\n# TelePresence VX Clinical Assistant\n# TelePresence VX Tactical\n# Note: VX Tactical/Clinical identify as SX20\nif (\n device !~ \" C[2469]0($|[ \\n\\r])\" &&\n device !~ \" EX[69]0($|[ \\n\\r])\" &&\n device !~ \" MX[2378]00(\\sG2)?($|[ \\n\\r])\" &&\n device !~ \" Profile.+($|[ \\n\\r])\" &&\n device !~ \" SX[128]0($|[ \\n\\r])\"\n) audit(AUDIT_HOST_NOT, \"an affected Cisco TelePresence device\");\n\n# Based on headers returned during testing/research, TC is upper-case\n# and ce is lowercase in the SoftW: section of the header. \nshort_version = eregmatch(pattern: \"^(TC|ce)(\\d+(?:\\.\\d+){0,2})\", string:version);\nif (isnull(short_version))\n audit(AUDIT_NOT_DETECT, app_name);\nelse{\n short_type = short_version[1];\n short_num = short_version[2];\n}\n\nif(short_type == \"TC\"){\n if (short_num =~ \"^7(\\.3)?$\") audit(AUDIT_VER_NOT_GRANULAR, app_name, version);\n if (short_num =~ \"^7\\.[23]\" && ver_compare(ver:short_num, fix:'7.3.6', strict:FALSE) < 0)\n flag = TRUE;\n}\nelse if (short_type == \"ce\"){\n if (short_num =~ \"^8(\\.1)?$\") audit(AUDIT_VER_NOT_GRANULAR, app_name, version);\n if (short_num =~ \"^8\\.\" && ver_compare(ver:short_num, fix:'8.1.1', strict:FALSE) < 0)\n flag = TRUE;\n}\nelse audit(AUDIT_NOT_DETECT, app_name);\n\nif (flag)\n{\n # Paranoid because we can't be sure XML API is running\n # or isn't disabled, as per workaround in advisory\n if (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n port = 0;\n\n report = '\\n Detected version : ' + version +\n '\\n Fixed version : See solution.' +\n '\\n Cisco bug ID : CSCuz26935' +\n '\\n';\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:55:23", "bulletinFamily": "info", "cvelist": ["CVE-2016-1368", "CVE-2016-1369", "CVE-2016-1387"], "description": "Cisco Systems said it has patched a critical flaw tied to its TelePresence hardware that allowed unauthorized third-parties to access the system via an API bug. The networking behemoth also alerted customers to a duo of denial of service attack vulnerabilities that represent a high risk for its FirePOWER firewall hardware.\n\nThe United States Computer Emergency Readiness Team (US-CERT) [issued an alert on Wednesday](<https://www.us-cert.gov/ncas/current-activity/2016/05/04/Cisco-Releases-Security-Updates>) and said Cisco has provided patches for the affected products.\n\nThe most serious of the flaws is tied to Cisco\u2019s TelePresence XML application programming interface and allows hackers to bypass the authentication process for its TelePresence EX, MX, SX and VX hardware. Hackers with knowledge of the vulnerability are able to perform unauthorized configuration changes or issue control commands to TelePresence hardware running affected software.\n\nCisco issued a patch ([CVE-2016-1387](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-tpxml>)) for the TelePresence bug. Cisco wrote: \u201cThe vulnerability is due to improper implementation of authentication mechanisms for the XML API of the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the XML API.\u201d\n\nCisco also notified customers on Wednesday of two vulnerabilities labeled as high that could allow an attacker to launch denial of service attacks. Both these vulnerabilities are tied to Cisco\u2019s enterprise firewall hardware (ASA 5585-X FirePOWER SSP).\n\nOne of those denial of service vulnerabilities ([CVE-2016-1369](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-fpkern>)) stems from a flaw in the kernel logging configuration for Firepower System Software for the Adaptive Security Appliance. According to Cisco the bug \u201ccould allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to high consumption of system resources.\u201d\n\nCisco said there are no workarounds for the vulnerabilities and is urging customers to download a free software update for affected software.\n\nThe second vulnerability is also classified as high and relates to the firewall hardware\u2019s (ASA 5585-X FirePOWER SSP) packet processing functions. Cisco says the flaw ([CVE-2016-1368](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-firepower>)) could allow a remote attacker to trigger an affected firewall sub-system to stop inspecting and processing packets, resulting in conditions ripe for a denial of service attack.\n\n\u201cThe vulnerability is due to improper packet handling by the affected software when packets are passed through the sensing interfaces of an affected system. An attacker could exploit this vulnerability by sending crafted packets through a targeted system,\u201d Cisco wrote.\n\nSpecific products affected by the packet processing vulnerability are both Cisco\u2019s FirePOWER firewall models 7000 and 8000 running FirePOWER System Software releases 5.3.0 through 5.3.0.6 and 5.4.0 through 5.4.0.3.\n\nUpdates to fix the vulnerability can be found [on Cisco\u2019s site](<http://www.cisco.com/c/en/us/td/docs/general/warranty/English/EU1KEN_.html>).\n", "modified": "2016-05-05T22:26:08", "published": "2016-05-04T17:17:04", "id": "THREATPOST:0674B5D6782927D685E42C7DEA161EBE", "href": "https://threatpost.com/cisco-patches-critical-telepresence-vulnerability/117866/", "type": "threatpost", "title": "Cisco Issues Critical Security Warning Tied to TelePresence Hardware", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:COMPLETE/"}}]}
