Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Cisco TelePresence XML Application Programming Interface Authentication Bypass Vulnerability

cisco-sa-20160504-tpxml · Critical · Published · Updated

A vulnerability in the XML application programming interface (API) of Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, remote attacker to bypass authentication and access a targeted system through the API. The vulnerability is due to improper implementation of authentication mechanisms for the XML API of the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the XML API. A successful exploit could allow the attacker to perform unauthorized configuration changes or issue control commands to the affected system by using the API. Cisco has released software updates that address this vulnerability. There is a workaround that addresses this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-tpxml

Cisco advisory · CSAF JSON

Workarounds

To work around this vulnerability, administrators can disable the XML API on an affected system. However, this API is used by the Cisco TelePresence Management Suite (TMS), which means that administrators will not be able to manage the system by using TMS if they disable the API.

To disable the XML API, do the following in the web interface of the software:

Navigate to xConfig > NetworkServices > XMLAPI > Mode.
Change the Mode setting to Off.

Reboot the main device for the new configuration to take effect. The device can be rebooted from the local touch control device or the IR remote controller.

CVEsCVE-2016-1387
Cisco Bug IDsCSCuz26935
CVSS ScoreBase 9.0
Base 9.0 AV:N/AC:L/Au:N/C:P/I:P/A:C/E:F/RL:OF/RC:C
Product Names From Source
Cisco TelePresence TC Software

Related Products

Product CVE Evidence
Cisco TelePresence TC Software CVE-2016-1387 Cisco OpenVuln
Cisco TelePresence CVE-2016-1387 Cisco OpenVuln