-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.0230
          Cisco TelePresence Multipoint Control Unit Remote Code
                          Execution Vulnerability
                              26 January 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco TelePresence MCU
Publisher:         Cisco Systems
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-3792  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-telepresence

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco TelePresence Multipoint Control Unit Remote Code Execution Vulnerability

Critical

Advisory ID: cisco-sa-20170125-telepresence

First Published: 2017 January 25 16:00 GMT

Version 1.0: Final

Workarounds: Yes

Cisco Bug IDs:

CSCuu67675

CVSS Score:

Base 9.8, Temporal 9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

CVE-2017-3792

CWE-20

Summary

A vulnerability in a proprietary device driver in the kernel of Cisco 
TelePresence Multipoint Control Unit (MCU) Software could allow an 
unauthenticated, remote attacker to execute arbitrary code or cause a denial 
of service (DoS) condition.

The vulnerability is due to improper size validation when reassembling 
fragmented IPv4 or IPv6 packets. An attacker could exploit this vulnerability
by sending crafted IPv4 or IPv6 fragments to a port receiving content in 
Passthrough content mode. An exploit could allow the attacker to overflow a 
buffer. If successful, the attacker could execute arbitrary code or cause a 
DoS condition on the affected system.

Cisco has released software updates that address this vulnerability. 
Workarounds that address this vulnerability are not available.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-telepresence

Affected Products

Vulnerable Products

The following Cisco TelePresence MCU platforms are affected when running 
software version 4.3(1.68) or later configured for Passthrough content mode:

TelePresence MCU 5300 Series

TelePresence MCU MSE 8510

TelePresence MCU 4500

Administrators can verify the current Software version by navigating to the 
General status page under Status > General in the web-based graphical user 
interface (GUI). The Content mode can be verified under Conferences > 
Conference "Name" > Configuration.

Products Confirmed Not Vulnerable

The following Cisco TelePresence MCU platforms are not affected by this 
vulnerability in any software release:

TelePresence MCU 4200 Series

TelePresence MCU MSE 8420

Workarounds

There are no workarounds that address this vulnerability.

Mitigations

To prevent exploitation of this vulnerability, customers can configure 
TelePresence MCU Software to use Transcoded content mode instead of 
Passthrough content mode.

Note: In Transcoded content mode, video resolution might be lower than in 
Passthrough content mode.

Fixed Software

Cisco has released free software updates that address the vulnerability 
described in this advisory. Customers may only install and expect support for
software versions and feature sets for which they have purchased a license. By
installing, downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:

http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

Additionally, customers may only download software for which they have a valid
license, procured from Cisco directly, or through a Cisco authorized reseller
or partner. In most cases this will be a maintenance upgrade to software that
was previously purchased. Free security software updates do not entitle 
customers to a new software license, additional software feature sets, or 
major revision upgrades.

When considering software upgrades, customers are advised to regularly consult
the advisories for Cisco products, which are available from the Cisco Security
Advisories and Alerts page, to determine exposure and a complete upgrade 
solution.

In all cases, customers should ensure that the devices to upgrade contain 
sufficient memory and confirm that current hardware and software 
configurations will continue to be supported properly by the new release. If 
the information is not clear, customers are advised to contact the Cisco 
Technical Assistance Center (TAC) or their contracted maintenance providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service 
contract and customers who make purchases through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale should 
obtain upgrades by contacting the Cisco TAC:

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

Customers should have the product serial number available and be prepared to 
provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases

In the following table the left column lists major releases of Cisco 
TelePresence Software. The right column indicates whether a major release is 
affected by the vulnerability described in this advisory and the first release
that includes the fix for this vulnerability. Customers should upgrade to an 
appropriate release as indicated in the following table:

Cisco TelePresence Software Major Release

First Fixed Release

4.2 and earlier

Not affected

4.31

Affected; migrate to 4.5(1.89)

4.4

Affected; migrate to 4.5(1.89)

4.5 Affected; migrate to 4.5(1.89)

1 Passthrough content mode was only introduced in version 4.3(1.68). 
TelePresence Software 4.3 releases prior to 4.3(1.68) are not affected by this
vulnerability.

Note: There will be no fix for the TelePresence MCU 4500 platform as that 
platform has reached the end-of-software maintenance milestone on July 9, 
2016:

End-of-Sale and End-of-Life Announcement for the Cisco TelePresence MCU 4500 
Series

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described 
in this advisory.

Source

This vulnerability was found during the resolution of a support case.

URL

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-telepresence

Revision History

Version Description Section Status Date

1.0 Initial public release. Final 2017-January-25

LEGAL DISCLAIMER

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF 
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO 
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the 
distribution URL is an uncontrolled copy and may lack important information or
contain factual errors. The information in this document is intended for end 
users of Cisco products.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWIlNYIx+lLeg9Ub1AQjUvRAAkcysbNWcXi4MSdiunCZPSamZOPdaSGwY
w6S7mDJgsyoXWYj0ddUBGQc9eqX8hQ+xOOiAVKy4XBfL8axFs8lpMNjIBziGGRgo
N+PpqAC/sF+ZGD7X3QSPmQaJ44zxk1UMBQiKKHegwhrOZRknqy+eJ0l+s9vHOEC1
Wl6JFI0KOiZBpOePwQVod7JlNlykPXF8lwFo55t3JYrUbX3vuA6YAPsR4mn7bvPe
2uUrqDsVp5N8Dga2Z2JgmAZC7BSVsRWCWP+yggizvFD3i+7RiUHqPyU8sZuu4TF+
Og7r4cIe7m0Ym2LfFK+tEu6C8mnILMJead1VNraIxKuaTPSryLZOfWWHD7rIIrtl
ZwvArlO0F46Z5FCER/fRuxGu9UuDFvcGIwUcx4IpPx8OLpRBzFNhOtj0Nfd/U+ov
2TyrHJIDbTLEVw8BNOvtb1nuKS9oE1k+UoIrf2WzcfD9phFDovGMwpiW3BSUA4e6
02YtyUZQ7nhFxK3U5rPNIWFdE4G8jt7GqV7k2k900iL7FH4FXHRISGp+v0hg8Peo
apxJbMUiqAPnIVSjHHD1EC4pupcINX9kuZql46fltdSBITgfev/wXGZUOTn0tRpT
yfkLWUhlWg+3TkKh4Grh9mLjhTts0WOl6gyRG3V7dPTH8A5X5yEnMLlRBV/kzeRk
tcH8IcuNOH0=
=ZlUU
-----END PGP SIGNATURE-----