SB2023042030 - Multiple vulnerabilities in Cisco TelePresence Collaboration Endpoint and RoomOS

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023042030

SB2023042030 - Multiple vulnerabilities in Cisco TelePresence Collaboration Endpoint and RoomOS

Published: April 20, 2023

Security Bulletin ID SB2023042030
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2023-20004)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the CLI. A local administrator can place a symbolic link in a specific location on the local file system and overwrite arbitrary files.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20090)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local administrator to escalate privileges on the system.

The vulnerability exists due to improper access control on certain CLI commands, which leads to security restrictions bypass and privilege escalation.


3) Improper access control (CVE-ID: CVE-2023-20091)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the CLI. A local administrator can place a symbolic link in a specific location on the local file system and overwrite arbitrary files.


4) Improper access control (CVE-ID: CVE-2023-20092)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the CLI. A local administrator can place a symbolic link in a specific location on the local file system and overwrite arbitrary files.


Remediation

Install update from vendor's website.

References