AusCERT - ESB-2013.0523 - [Win][UNIX/Linux][Cisco] Cisco Unified MeetingPlace: Unauthorised access

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2013.0523 - [Win][UNIX/Linux][Cisco] Cisco Unified MeetingPlace: Unauthorised access - Remote/unauthenticated
Date: 11 April 2013

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0523
      Multiple Vulnerabilities in Cisco Unified MeetingPlace Solution
                               11 April 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Unified MeetingPlace
Publisher:         Cisco Systems
Operating System:  Cisco
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-mp

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified
MeetingPlace Solution

Advisory ID: cisco-sa-20130410-mp

Revision 1.0

For Public Release 2013 April 10 16:00  UTC (GMT)

+----------------------------------------------------------------------

Summary
=======

Cisco Unified MeetingPlace Application Server contains an authentication
bypass vulnerability and Cisco Unified MeetingPlace Web Conferencing
Server contains an arbitrary login vulnerability. For both
vulnerabilities, successful exploitation could allow an unauthenticated,
remote attacker to impersonate a legitimate user and send arbitrary
commands to the affected system with the privileges of that user.

Cisco has released free software updates that address these
vulnerabilities. A workaround is available for the Cisco Unified
MeetingPlace Web Conferencing Server Arbitrary Login Vulnerability. This
advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-mp

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iF4EAREIAAYFAlFlkTIACgkQUddfH3/BbTry0QD/awwTnQ3pFKZZaKwl0jslafJC
P3L5GHiKhL9bE92KEkMA/RRgoVb0TOUiTubSi1c3jnQKZVtI19zWdYElJkYcQSXP
=7GS+
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUWYmre4yVqjM2NGpAQLqHBAAie6Zequh69INo9ajdZ2ikJr4WvaBd1AN
UtILJ+N/YIFnuvxh0G2rZ1G6D9ctP1KXaVeBtvquou3ohgA5FVYq2fL09ZobjMC8
yfalG/Ws8MocxDXgo/I7g3WV4d/QeG1Ywvbd1GzNeMIDuY2MWJ0q3qTDzbiIwEWp
OPkx/6hLT+SMrR1qN/IUtBUhfKfp7SNGtjEr8uyQTAtFcd2VTYtHCOFvIqLKzxn/
2QGTVt1xONOTTt0AwnIC0Ypk7rfuxH8/YYWznhGN2QuZYUrZF5OZQxEOv/rb0gfq
AsKiif6KqaTVqpAP1ZZpUs7CwOtMs7wf8hYLWE4IiIDDxZ/YjulyY99mdUxGxgmt
y+1o+xoqDRvbTsTXHriGvjzVeRcWcryQ3DFbe++gxkryb6KsvLJ0KVRNMJjiS8Mg
N2IR0L13EJ7gi7ZW3ea97YPpLD4Zai9e/82HXlwiDzeqUyYmGu5z/GC1KRVgjvOp
CzWSDPuMc/tpI00q24pNCblw41tX+0CLwaQOdnWOXqKh4UO/+vvLKnfKELIgnJRR
rT4BWvHrlBESdWc3BiFFoxGUnTch2CG6GFUXOKFMGaZbAiJwmdjpPc/iPg8w3E0o
pNlBEcSV2Jmzb6kCkr+fJvtHLLprGH6TbqI3AE/FZdEEhwR99ylKIdYY+5xJX7tT
Q0XcLgsY4aI=
=hblk
-----END PGP SIGNATURE-----