Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Software includes the following vulnerabilities: Cisco TelePresence VCS and Cisco Expressway Crafted Packets Denial of Service Vulnerability Cisco TelePresence VCS and Cisco Expressway SIP IX Filter Denial of Service Vulnerability Cisco TelePresence VCS and Cisco Expressway SIP Denial of Service Vulnerability Succesfull exploitation of any of these vulnerabilities could allow an unauthenticated, remote attacker to cause a reload of the affected system, which may result in a Denial of Service (DoS) condition. Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-vcs Note: This security advisory does not provide information about the GNU Bash Environment Variable Command Injection Vulnerability (also known as Shellshock). For additional information regarding Cisco products affected by this vulnerability, refer to the Cisco Security Advisory at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
[...]
*c xConfiguration Zones Zone 2 Neighbor SIP SearchAutoResponse: "Off"
*c xConfiguration Zones Zone 2 Neighbor SIP TLS Verify Mode: "Off"
*c xConfiguration Zones Zone 2 Neighbor SIP Transport: "TCP"
*c xConfiguration Zones Zone 2 Neighbor SIP UDP BFCP Filter Mode: "Off"
*c xConfiguration Zones Zone 2 Neighbor SIP UDP IX Filter Mode: "On"
*c xConfiguration Zones Zone 2 Neighbor SIP UPDATE Strip Mode: "Off"
*c xConfiguration Zones Zone 2 Neighbor SignalingRouting Mode: "Auto"
*c xConfiguration Zones Zone 2 Neighbor ZoneProfile: "CiscoUnifiedCommunicationsManagerBFCP"
[...]
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
The following table summarizes the first fixed release for each
vulnerability in both Cisco TelePresence VCS and Cisco Expressway software. The Recommended Release row gives
information on the recommended release that resolves all the
vulnerabilities in this security advisory.
First Fixed Release |
|
Cisco TelePresence VCS and Cisco Expressway Crafted Packets Denial of Service Vulnerability |
X8.2 and later |
Cisco TelePresence VCS and Cisco Expressway SIP IX Filter Denial of Service Vulnerability |
X8.1.1 and later |
Cisco TelePresence VCS and Cisco Expressway SIP Denial of Service Vulnerability |
X8.1.1 and later |
Recommended Release |
X8.2 and later |
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
These vulnerabilities were found during internal tests.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.0 | 2014-October-15 | Initial public release |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.