Cisco TelePresence CE and RoomOS Vulnerabilities Could Allow Arbitrary File Overwrite
CVE-2023-20004

4.4MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Roomos Software; Cisco Telepresence Endpoint Software (tc/ce)
Vendor: CVE Published:; 15 November 2024

Summary

Multiple vulnerabilities in the command-line interface (CLI) of Cisco TelePresence CE and RoomOS impact the security of the affected devices, enabling an authenticated local attacker to overwrite arbitrary files on the local file system. This risk arises from inadequate access control mechanisms governing local files. By placing a symbolic link at a designated location within the local file system, an attacker possessing a remote support user account can trigger an exploit. It is important to note that certain devices, including Cisco DX70, DX80, TelePresence MX Series, or TelePresence SX Series, remain unaffected by these vulnerabilities. Cisco has issued software updates to mitigate these risks, and currently, no applicable workarounds exist.

Affected Version(s)

Cisco RoomOS Software

Cisco TelePresence Endpoint Software (TC/CE) CE9.10.2

Cisco TelePresence Endpoint Software (TC/CE) CE9.1.4

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 15, 2024
Vulnerability Reserved
Oct 27, 2022