Vulnslist

Cisco TelePresence System Directory Information Disclosure Vulnerability

Cisco-SA-20140522-CVE-2014-3274 · Medium · Published 12 years ago · Updated 12 years ago

A vulnerability in the code retrieving directory information of Cisco TelePresence System (CTS) could allow an unauthenticated, remote attacker to intercept and read the content of a directory transferred between the CTS and the Cisco Unified Communications Manager (Cisco UCM). The vulnerability is due to a failure to enforce HTTPS for transferring directory content. An attacker could exploit this vulnerability by blocking the connection over HTTPS between the CTS and Cisco UCM. Because of this vulnerability, the CTS will try to connect to the Cisco UCM via HTTP, which could allow Directory information to be gathered by observing the communication between the CTS and Cisco UCM. Cisco has confirmed the vulnerability in a security notice and released software updates. To exploit this vulnerability, it is likely that an attacker may need access to trusted, internal networks in which a targeted device and the Cisco UCM reside to attempt to block the connection over HTTPS between the two devices. This access requirement would likely reduce the likelihood of a success exploit. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Cisco advisory · CSAF JSON

Workarounds

Related Products