SB2021082303 - Multiple vulnerabilities in Cisco Expressway Series and TelePresence Video Communication Server

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2021-34715)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to insufficient validation of the content of upgrade packages. A remote administrator can upload a malicious archive to the Upgrade page and execute arbitrary code on the target system.

2) Improper Cleanup on Thrown Exception (CVE-ID: CVE-2021-34716)

CWE-ID: CWE-460 - Improper Cleanup on Thrown Exception

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to incorrect handling of certain crafted software images that are uploaded to the affected device. A remote administrator can upload specially crafted software images and execute arbitrary code on the underlying operating system. 

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewver-c6WZPXRx
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewrce-QPynNCjh