SB2018062106 - Multiple vulnerabilities in Cisco Meeting Server

Security Bulletin ID SB2018062106

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2018-0371)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The vulnerability exists in the Web Admin Interface of Cisco Meeting Server due to insufficient validation of incoming HTTP requests. A remote attacker can send a specially crafted HTTP request to the Web Admin Interface and cause the system to restart, terminating all ongoing calls.

2) Session fixation attack (CVE-ID: CVE-2018-0359)

The vulnerability allow a local unauthenticated attacker to conduct session fixation attack.

The weakness exists in the session identification management functionality of the web-based management interface for Cisco Meeting Server due to the affected application does not assign a new session identifier to a user session when a user authenticates to the application. A local attacker can use a hijacked session identifier to connect to the application through the web-based management interface and hijack an authenticated user's browser session.

Remediation

Install update from vendor's website.

SB2018062106 - Multiple vulnerabilities in Cisco Meeting Server

Breakdown by Severity

Description

Remediation

References

Please verify you're human