Information disclosure in Polycom UCS-Based Products
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-12857 |
| CWE-ID | CWE-126 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
RealPresence Trio Hardware solutions / Firmware VVX Hardware solutions / Firmware SoundStation IP Hardware solutions / Firmware |
| Vendor | Polycom, Inc. |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Buffer over-read
EUVDB-ID: #VU8242
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-12857
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.
The weakness exists due to buffer over-read. A remote attacker can upload a specially crafted file containing null characters and obtain potentially sensitive information from uninitialized system memory.
Successful exploitation of the vulnerability results in information disclosure.
The vulnerability is addressed in the following version: UCS 4.0.12, 5.6.0, 5.5.2, 5.4.7, 5.4.5.
RealPresence Trio: All versions
VVX: All versions
SoundStation IP: All versions
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
