Cisco Patches Telepresence Attack Flaw

Cisco said its Telepresence control units are affected by a bug that could allow remote attackers to execute malicious code or shut down the system.

The Telepresence products, which offer a high-end form of teleconferencing, contain a vulnerability in the way they deal with IP packets that could allow a buffer overflow, Cisco said in an advisory.

Buffer overflow

“The vulnerability is due to improper size validation when reassembling fragmented IPv4 or IPv6 packets,” Cisco said. “An attacker could exploit this vulnerability by sending crafted IPv4 or IPv6 fragments to a port receiving content in Passthrough content mode. An exploit could allow the attacker to overflow a buffer. If successful, the attacker could execute arbitrary code or cause a (denial-of-service) condition on the affected system.”

The company said it had discovered the bug while resolving a technical support issue and wasn’t aware of reports of the issue being exploited.

It said the Telepresence MCU 5300 Series, MCU MSE 8510 and MCU 4500 products are vulnerable, while the MCU 4200 Series and MCU MSE 8420 have been confirmed as not vulnerable.

No workaround

A patch is available for the affected devices, with the exception of the MCU 4500, which Cisco said reached the end of its software support in July of last year.

For those unable to patch right away, no workaround is available, which could leave those systems exposed to attacks now that the vulnerability has been disclosed, Cisco said.

However, the problem can be mitigated by setting the software to use Transcoded content mode rather than Passthrough mode, according to the advisory. Cisco warned the settings change may result in lower-quality video resolution.

Last week the company issued an express patch for a bug in its WebEx plugin for the Chrome browser, used by around 20 million clients, which could have allowed attackers to execute malicious code on Windows systems.

Do you know all about security? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Warns Of Italian Spyware On Apple, Android Phones

Italian company's hacking tools have been used to spy on Apple, Android smartphones in Italy…

14 hours ago

Intel Signals Delay To Ohio Factory Over US Chips Act Dispute

Chip maker warns new factory in Columbus, Ohio could be delayed or scaled back, over…

14 hours ago

Silicon UK In Focus Podcast: Sustainable Business

How do sustainable businesses use technology to innovate? And as businesses want to connect sustainability…

16 hours ago

Australia Fines Samsung Over Water-Resistance Claims

Samsung rapped over the knuckles by Australian regulator because of 'misleading' Galaxy smartphone water-resistance claims…

1 day ago

Amazon Reveals Alexa Option To Mimic Any Person’s Voice

Bereavement aid for those in mourning? Amazon's Alexa voice assistant could be programmed to sound…

1 day ago