Main Vulnerability Database SB2017091401

SB2017091401 - Security restrictions bypass in Cisco Meeting Server

Published: September 14, 2017 Updated: September 14, 2017

Security Bulletin ID SB2017091401

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Security restrictions bypass (CVE-ID: CVE-2017-12249)

The vulnerability allows a remote authenticated attacker to gain unauthenticated or unauthorized access to components of sensitive information.

The weakness exists due to incorrect default configuration of the TURN server. A remote attacker can use a TURN server, depending on the deployment model and CMS services in use to perform an unauthorized connection to a Call Bridge, a Web Bridge, or a database cluster and gain unauthorized access to sensitive meeting information. Successful exploitation of the vulnerability is able if the attacker has valid credentials for the TURN server.

Remediation

Install update from vendor's website.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170913-cmsturn