Cisco: Whoops, hackers can commandeer your TelePresence boxes with a devilish HTTP poke
Critical flaw among trio of bugs blatted this week
Cisco has released three security patches to address flaws in its TelePresence, FirePower and Adaptive Security Appliance lines.
The May bundle includes one patch classified by Cisco as "critical" and two more labeled "high" risks. In total, the updates remedy three CVE-listed security vulnerabilities:
- For TelePresence appliances, Cisco has released a "critical" update to address a remote-code execution vulnerability. The flaw, CVE-2016-1387, allows a remote and unauthenticated attacker to exploit a weakness in the TelePresence Codec API with a specially crafted HTTP request. After leveraging that, the miscreant can execute commands on the targeted appliance. Cisco said the issue was discovered internally with no reports of exploits in the wild – yet.
- Users running the Adaptive Security Appliance with FirePower services should install the update to remedy CVE-2016-1369. That flaw allows an attacker to crash the appliance by sending an IP packet flood to overwhelm the appliance and trigger a denial of service. Cisco said the flaw was found during a support case and no exploits have been spotted in the wild.
- A separate flaw was discovered for the FirePower System Software that allows a miscreant to pull off a similar denial of service attack. An attacker could exploit the CVE-2016-1368 packet overflow vulnerability on FirePower 7000 and 8000 series hardware to knock the kit offline or cause a reboot. This flaw was also found while resolving support cases and no attacks in the wild have been reported.
Cisco and US-CERT are advising administrators to test and install the patches as needed. The fixes will likely be the first of many IT administrators will see in the coming days, as Microsoft and Adobe's Patch Tuesday releases are due to land next Tuesday, on May 10. ®