Cisco Security Advisory http://tools.cisco.com/security/center/psirtrss20/CiscoSecurityAdvisory.xml en-us 1992-2010 Cisco Systems, Inc. All rights reserved. Security Advisories Cisco Systems, Inc. 15 Cisco Wireless Residential Gateway Remote Code Execution Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-20140716-cm?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Wireless%20Residential%20Gateway%20Remote%20Code%20Execution%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Wireless Residential Gateway Remote Code Execution Vulnerability" border='0' height='0' width='0'></img>A vulnerability in the web server used in multiple Cisco Wireless Residential Gateway products could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.<br /> <br /> The vulnerability is due to incorrect input validation for HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.<br /> <br /> This advisory is available at the following link:<br /> <a target="_self" href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-20140716-cm">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-20140716-cm</a> Fri, 18 Jul 2014 17:55:37 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-20140716-cm Multiple Vulnerabilities in OpenSSL Affecting Cisco Products http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20Vulnerabilities%20in%20OpenSSL%20Affecting%20Cisco%20Products&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple Vulnerabilities in OpenSSL Affecting Cisco Products" border='0' height='0' width='0'></img>Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code, create a denial of service (DoS) condition, or perform a man-in-the-middle attack. On June 5, 2014, the OpenSSL Project released a security advisory detailing seven distinct vulnerabilities. The vulnerabilities are referenced in this document as follows:<br /> <ul> <li>SSL/TLS Man-in-the-Middle Vulnerability</li> <li>DTLS Recursion Flaw Vulnerability</li> <li>DTLS Invalid Fragment Vulnerability</li> <li>SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability</li> <li>SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability</li> <li>Anonymous ECDH Denial of Service Vulnerability</li> <li>ECDSA NONCE Side-Channel Recovery Attack Vulnerability</li> </ul> <p> Please note that the devices that are affected by this vulnerability are the devices acting as a Secure Sockets Layer (SSL) or Datagram Transport Layer Security (DTLS) server terminating SSL or DTLS connections or devices acting as an SSL client initiating an SSL or DTLS connection. Devices that are simply traversed by SSL or DTLS traffic without terminating it are not affected.&nbsp;</p> This advisory will be updated as additional information becomes available.<br /> Cisco will release free software updates that address these vulnerabilities. <br /> Workarounds that mitigate these vulnerabilities may be available.&nbsp;<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl</a> Fri, 18 Jul 2014 17:08:08 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Apache%20Struts%202%20Command%20Execution%20Vulnerability%20in%20Multiple%20Cisco%20Products&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products" border='0' height='0' width='0'></img>Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability identified by Apache with Common Vulnerabilities and Exposures ID CVE-2010-1870. <br /> <br /> The vulnerability is due to insufficient sanitization on user-supplied input in the XWorks component of the affected software. The component uses the <em>ParameterInterceptors</em> directive to parse the Object-Graph Navigation Language (OGNL) expressions that are implemented via a whitelist feature. An attacker could exploit this vulnerability by sending crafted requests that contain OGNL expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on the targeted system. <br /> <br /> Cisco has released free software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000 Series. Customers using Cisco Business Edition 3000 Series should contact their Cisco representative for available options.<br /> <br /> Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2</a> Wed, 09 Jul 2014 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2 Multiple Vulnerabilities in Cisco Unified Communications Domain Manager http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140702-cucdm?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20Vulnerabilities%20in%20Cisco%20Unified%20Communications%20Domain%20Manager&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple Vulnerabilities in Cisco Unified Communications Domain Manager" border='0' height='0' width='0'></img>Cisco Unified Communications Domain Manager (Cisco Unified CDM) is affected by the following vulnerabilities:<br /> <ul> <li>Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability</li> <li>Cisco Unified Communications Domain Manager Default SSH Key Vulnerability </li> <li>Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability </li> </ul> <p>Successful exploitation of the&nbsp;Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability or of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability may allow an attacker to execute arbitrary commands or obtain privileged access to the affected system.</p> Successful exploitation of the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may allow an attacker to access and modify BVSMWeb portal user <span id="ctl00_MainBodyContainer_DgFields_ctl02_lblField">information such settings in the personal phone directory, speed dials, Single Number Reach, and call forward settings.</span><br /> <br /> Cisco has released free software updates that address the Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability and the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability. <br /> Cisco will provide a free software update for the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability as soon as the fix is available.<br /> <br /> Workarounds that mitigate these vulnerabilities are not available.&nbsp;Customers that are concerned about the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may apply the mitigation detailed in the "Workarounds" section of this advisory. <br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140702-cucdm">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140702-cucdm</a> Tue, 08 Jul 2014 21:14:32 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140702-cucdm Cisco IOS XR Software IPv6 Malformed Packet Denial of Service Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140611-ipv6?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20XR%20Software%20IPv6%20Malformed%20Packet%20Denial%20of%20Service%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS XR Software IPv6 Malformed Packet Denial of Service Vulnerability" border='0' height='0' width='0'></img><br /> A vulnerability in the parsing of malformed Internet Protocol version 6 (IPv6) packets in Cisco IOS XR Software for ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a lockup and eventual reload of a Network Processor (NP) chip and a line card processing traffic. Only Trident-based line cards on Cisco ASR 9000&nbsp;Series Aggregation Services Routers are affected by this vulnerability.<br /> <br /> The vulnerability is due to insufficient logic in parsing malformed IPv6 packets. An attacker could exploit this vulnerability by sending a stream of malformed IPv6 packets to the affected device. An exploit could allow the attacker to cause a lockup and eventual reload of an NP chip and a line card, leading to a denial of service (DoS) condition.<br /><br /> <br /> Cisco has released free software updates that address this vulnerability. <br /> There are no workarounds that address this vulnerability.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140611-ipv6">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140611-ipv6</a> Fri, 13 Jun 2014 14:01:36 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140611-ipv6 OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=OpenSSL%20Heartbeat%20Extension%20Vulnerability%20in%20Multiple%20Cisco%20Products&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products" border='0' height='0' width='0'></img>Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.<br /> <br /> The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords.<br /> <br /> Please note that the devices that are affected by this vulnerability are the devices acting as an SSL server terminating SSL connections or devices acting as an SSL Client initiating an SSL connection. Devices that are simply traversed by SSL traffic without terminating it are not affected. <br /> <br /> This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available. This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed</a> Fri, 06 Jun 2014 13:03:42 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed Multiple Vulnerabilities in Cisco NX-OS-Based Products http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140521-nxos?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20Vulnerabilities%20in%20Cisco%20NX-OS-Based%20Products&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple Vulnerabilities in Cisco NX-OS-Based Products" border='0' height='0' width='0'></img>Cisco Nexus, Cisco Unified Computing System (UCS), and Cisco 1000 Series Connected Grid Routers (CGR) are all based on the Cisco NX-OS operating system. These products are affected by one or more of the following vulnerabilities:<br /> <ul> <li>Cisco NX-OS Virtual Device Context SSH Privilege Escalation Vulnerability</li> <li>Cisco NX-OS Virtual Device Context SSH Key Privilege Escalation Vulnerability</li> <li>Cisco NX-OS-Based Products Smart Call Home Buffer Overflow Vulnerability</li> <li>Cisco NX-OS Message Transfer Service Denial of Service Vulnerability&nbsp; <ul> <li>No officially released images are affected</li> </ul> </li> </ul> <ul> </ul> Cisco has released free software updates that address these vulnerabilities.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140521-nxos">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140521-nxos</a> Mon, 02 Jun 2014 20:25:26 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140521-nxos Cisco Wide Area Application Services Remote Code Execution Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140521-waas?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Wide%20Area%20Application%20Services%20Remote%20Code%20Execution%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Wide Area Application Services Remote Code Execution Vulnerability" border='0' height='0' width='0'></img>A vulnerability in Cisco Wide Area Application Services (WAAS) software versions 5.1.1 through 5.1.1d, when configured with the SharePoint acceleration feature, could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.<br /> <br /> The vulnerability is due to incorrect buffer handling for SharePoint responses. An attacker could exploit this vulnerability by convincing a user to access a malicious SharePoint application. An exploit could allow the attacker to crash the application optimization handler and execute arbitrary code with elevated privileges on the WAAS appliance.<br /> <br /> Cisco has released free software updates that address this vulnerability. This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140521-waas">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140521-waas</a> Wed, 21 May 2014 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140521-waas Multiple Vulnerabilities in the Cisco WebEx Recording Format and Advanced Recording Format Players http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140507-webex?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20Vulnerabilities%20in%20the%20Cisco%20WebEx%20Recording%20Format%20and%20Advanced%20Recording%20Format%20Players&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple Vulnerabilities in the Cisco WebEx Recording Format and Advanced Recording Format Players" border='0' height='0' width='0'></img>Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players. Exploitation of these vulnerabilities could allow a remote attacker to cause an affected player to crash and, in some cases, could allow a remote attacker to execute arbitrary code on the system of a targeted user.<br /> <br /> The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an online meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server.<br /> <br /> Cisco has updated affected versions of the Cisco WebEx Business Suite meeting sites, Cisco WebEx 11 meeting sites, Cisco WebEx Meetings Server, and Cisco WebEx WRF and ARF Players to address these vulnerabilities.&nbsp;This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140507-webex">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140507-webex</a> Wed, 07 May 2014 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140507-webex Cisco IOS Software IPv6 Denial of Service Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-ipv6?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20Software%20IPv6%20Denial%20of%20Service%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS Software IPv6 Denial of Service Vulnerability" border='0' height='0' width='0'></img><p>Cisco IOS Software contains a vulnerability in the IP version 6 (IPv6) protocol stack implementation that could allow an unauthenticated, remote attacker to cause a reload of an affected device that has IPv6 operation enabled. The vulnerability is triggered when an affected device processes a malformed IPv6 packet.</p> <p>Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.</p> <p>This advisory is posted at <a href="%5B%5BPublication_URL%5D%5D">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-ipv6</a>.</p> <span class="content"> <p> <strong>Note:</strong> The September 28, 2011, Cisco IOS Software Security Advisory bundled publication includes ten Cisco Security Advisories. Nine of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the September 2011 Bundled Publication. </p> <p> Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link: </p> <p> <a href="http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep11.html">http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep11.html</a> </p> </span> Tue, 20 May 2014 12:47:58 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-ipv6 Multiple Vulnerabilities in Cisco TelePresence System MXP Series http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140430-mxp?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20Vulnerabilities%20in%20Cisco%20TelePresence%20System%20MXP%20Series&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple Vulnerabilities in Cisco TelePresence System MXP Series " border='0' height='0' width='0'></img>Cisco TelePresence System MXP Series Software contains the following vulnerabilities:<br /> <ul> <li>Three SIP denial of service vulnerabilities</li> <li>Three H.225 denial of service vulnerabilities</li> </ul> <p>Successful exploitation of these vulnerabilities may allow an attacker to cause system instability and the affected system to reload.<br /> <br /> <strong>Note: </strong>This security advisory does not provide information about the OpenSSL TLS Heartbeat Read Overrun Vulnerability identified by CVE-2014-0160 (also known as Heartbleed).&nbsp; For additional information regarding Cisco products affected by the Heartbleed vulnerability, refer to the Cisco Security Advisory available at the following link:&nbsp; <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed</a></p> Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140430-mxp">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140430-mxp</a> Wed, 30 Apr 2014 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140430-mxp Multiple Vulnerabilities in Cisco TelePresence TC and TE Software http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140430-tcte?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20Vulnerabilities%20in%20Cisco%20TelePresence%20TC%20and%20TE%20Software&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple Vulnerabilities in Cisco TelePresence TC and TE Software " border='0' height='0' width='0'></img>Cisco TelePresence TC and TE Software are affected by the following vulnerabilities:<br /> <ul> <li>Six Session Initiation Protocol (SIP) denial of service vulnerabilities</li> <li>Cisco TelePresence TC and TE Software DNS Buffer Overflow Vulnerability</li> <li>Cisco TelePresence TC and TE Software Input Validation Vulnerability</li> <li>Cisco TelePresence TC and TE Software tshell Command Injection Vulnerability</li> <li>Cisco TelePresence TC and TE Software Heap Overflow Vulnerability</li> <li>Cisco TelePresence TC and TE Software U-Boot Buffer Overflow Vulnerability</li> <li>Cisco TelePresence TC and TE Software Unauthenticated Serial Port Access Vulnerability</li> <li>Cisco TelePresence TC H.225 Denial of Service Vulnerability </li> </ul> Successful exploitation of these vulnerabilities could allow an attacker to cause the affected system to reload, execute arbitrary commands or obtain privileged access to the affected system.<br /> <br /> <div><strong>Note:</strong>&nbsp;This security advisory does not provide information about the OpenSSL TLS Heartbeat Read Overrun Vulnerability identified by CVE-2014-0160&nbsp;(also known as <em>Heartbleed</em>).&nbsp; For additional information on Cisco products affected by the Heartbleed vulnerability, refer to the Cisco Security Advisory available at the following link:&nbsp; <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed</a></div> <br /> <br /> Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140430-tcte">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140430-tcte</a> Wed, 30 Apr 2014 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140430-tcte