Buffer over-read

#VU8242 Buffer over-read

Published: 2017-09-12

Vulnerability identifier: #VU8242

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-12857

CWE-ID: CWE-126

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
RealPresence Trio
Hardware solutions / Firmware
VVX
Hardware solutions / Firmware
SoundStation IP
Hardware solutions / Firmware

Vendor: Polycom, Inc.

Description
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The weakness exists due to buffer over-read. A remote attacker can upload a specially crafted file containing null characters and obtain potentially sensitive information from uninitialized system memory.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation
The vulnerability is addressed in the following version: UCS 4.0.12, 5.6.0, 5.5.2, 5.4.7, 5.4.5.

Vulnerable software versions

RealPresence Trio: All versions

VVX: All versions

SoundStation IP: All versions

External links
http://support.polycom.com/content/dam/polycom-support/global/documentation/securityadvisory-informa...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Polycom UCS-Based Products