Denial of Service Vulnerability in Cisco Expressway Series and TelePresence VCS Software
CVE-2017-3790

8.6HIGH

Key Information:

Vendor
Cisco
Status
Cisco Expressway Series Software And Cisco Telepresence Vcs Software All Versions Prior To Version X8.8.2 Are Vulnerable
Vendor
CVE Published:
1 February 2017

Summary

A potential security vulnerability exists within the Cisco Expressway Series and Cisco TelePresence Video Communication Server software due to insufficient validation of user-supplied data. An unauthenticated remote attacker could exploit this flaw by sending specially crafted H.224 data via RTP packets during an H.323 call, leading to a crash of the application. This can cause a denial of service condition, necessitating a system reload. All affected versions prior to X8.8.2 need immediate upgrading to mitigate this risk, as no workarounds are available.

Affected Version(s)

Cisco Expressway Series Software and Cisco TelePresence VCS Software All prior to version X8.8.2 are vulnerable Cisco Expressway Series Software and Cisco TelePresence VCS Software All versions prior to version X8.8.2 are vulnerable

References

https://tools.cisco.com/security/center/content/CiscoSecu...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/95786
vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1037697
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.