Cisco TelePresence CE and RoomOS Vulnerability Allows Arbitrary File Overwriting
CVE-2023-20091

5.1MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Telepresence Endpoint Software (tc/ce)
Vendor: CVE Published:; 15 November 2024

Summary

A security risk exists within the command-line interface (CLI) of Cisco TelePresence CE and RoomOS, where improper access controls allow an authenticated local attacker to overwrite files on the local file system. By placing a symbolic link in a designated location, the attacker can target arbitrary files, leading to potential manipulation or corruption of data. The exploitation of this vulnerability requires an attacker to possess a remote support user account. Cisco has addressed the issue through software updates, and there are currently no available workarounds.

Affected Version(s)

Cisco TelePresence Endpoint Software (TC/CE) CE9.10.2

Cisco TelePresence Endpoint Software (TC/CE) CE9.1.4

Cisco TelePresence Endpoint Software (TC/CE) CE9.9.3

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 15, 2024
Vulnerability Reserved
Oct 27, 2022