Text only | Text with Images

Networking-Forums.com

Professional Discussions => Vendor Advisories => Topic started by: Netwörkheäd on December 21, 2020, 06:36:45 PM

Title: Cisco Security Advisory - Cisco TelePresence Collaboration Endpoint Software Information Disclosure Vulnerability
Post by: Netwörkheäd on December 21, 2020, 06:36:45 PM
Cisco TelePresence Collaboration Endpoint Software Information Disclosure Vulnerability

A vulnerability in the video endpoint API (xAPI) of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, remote attacker to gain access to sensitive information on an affected device.


The vulnerability is due to improper storage of sensitive information on an affected device. An attacker could exploit this vulnerability by accessing information that should not be accessible to users with low privileges. A successful exploit could allow the attacker to gain access to sensitive information.


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tele-info-DrEGLpDQ



     
         
Security Impact Rating:  Medium
   
   
       
CVE: CVE-2020-26086
Source: Cisco TelePresence Collaboration Endpoint Software Information Disclosure Vulnerability (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tele-info-DrEGLpDQ?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20TelePresence%20Collaboration%20Endpoint%20Software%20Information%20Disclosure%20Vulnerability&vs_k=1)
Title: Re: Cisco Security Advisory - Cisco TelePresence Collaboration Endpoint Software Information Disclos
Post by: Dieselboy on December 21, 2020, 08:49:12 PM
I have a few of these devices.

What sort of "sensitive information" would be disclosed? I'm curious because to set these devices up in the webex cloud, all I do is enter in the code generated from the cloud. This then applies the device within a room and is given a name which I specify.

In terms of normal usage, people walk into the room and they are discovered using high frequency sound waves (ultrasound). Their webex software picks up the sound and then they are paired with that device.

The devices are used normally via audio and video calls and whiteboarding. The persons names appear on the device when paired.
Title: Re: Cisco Security Advisory - Cisco TelePresence Collaboration Endpoint Software Information Disclos
Post by: deanwebb on December 22, 2020, 08:49:10 AM
It's an authenticated remote attacker, so I'm presuming it's a privilege escalation that would allow admin access to stored calls.
Text only | Text with Images