Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3475
Cisco Video Surveillance 8000 Series IP Cameras Cisco
Discovery Protocol Memory Leak Vulnerabilities
8 October 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Video Surveillance 8000 Series IP Cameras
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-3544 CVE-2020-3543
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdp-memleak-heyebx9
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdp-rcedos-mAHR8vNx
Comment: This bulletin contains two (2) Cisco Systems security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Memory
Leak Vulnerability
Priority: Medium
Advisory ID: cisco-sa-cdp-memleak-heyebx9
First Published: 2020 October 7 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvv21693
CVE-2020-3543
CWE-400
Summary
o A vulnerability in the Cisco Discovery Protocol of Cisco Video Surveillance
8000 Series IP Cameras could allow an unauthenticated, adjacent attacker to
cause a memory leak, which could lead to a denial of service (DoS)
condition on an affected device.
The vulnerability is due to incorrect processing of certain Cisco Discovery
Protocol packets. An attacker could exploit this vulnerability by sending
certain Cisco Discovery Protocol packets to an affected device. A
successful exploit could allow the attacker to cause the affected device to
continuously consume memory, which could cause the device to crash and
reload, resulting in a DOS condition.
Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this
vulnerability, an attacker must be in the same broadcast domain as the
affected device (Layer 2 adjacent).
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-cdp-memleak-heyebx9
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco Video
Surveillance 8000 Series IP Cameras firmware releases earlier than Release
1.0.9-5.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Video Surveillance 3000 Series IP Cameras
Video Surveillance 4000 Series High-Definition IP Cameras
Video Surveillance 4300E High-Definition IP Cameras
Video Surveillance 4500E High-Definition IP Cameras
Video Surveillance 6000 Series IP Cameras
Video Surveillance 7000 Series IP Cameras
Video Surveillance PTZ IP Cameras
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco Video Surveillance 8000 Series IP Cameras
firmware releases 1.0.9-5 and later contained the fix for this
vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank Qian Chen of Qihoo 360 Nirvan Team for reporting
this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-cdp-memleak-heyebx9
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-OCT-07 |
+----------+---------------------------+----------+--------+--------------+
- -------------------------------------------------------------------------------
Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote
Code Execution and Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-cdp-rcedos-mAHR8vNx
First Published: 2020 October 7 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvv21695
CVE-2020-3544
CWE-119
Summary
o A vulnerability in the Cisco Discovery Protocol implementation for Cisco
Video Surveillance 8000 Series IP Cameras could allow an unauthenticated,
adjacent attacker to execute arbitrary code on an affected device or cause
the device to reload.
This vulnerability is due to missing checks when an IP camera processes a
Cisco Discovery Protocol packet. An attacker could exploit this
vulnerability by sending a malicious Cisco Discovery Protocol packet to an
affected device. A successful exploit could allow the attacker to execute
code on the affected IP camera or cause it to reload unexpectedly,
resulting in a denial of service (DoS) condition.
Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this
vulnerability, an attacker must be in the same broadcast domain as the
affected device (Layer 2 adjacent).
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-cdp-rcedos-mAHR8vNx
Affected Products
o Vulnerable Products
This vulnerability affects Cisco Video Surveillance 8000 Series IP Cameras
if they are running a firmware release earlier than Release 1.0.9-5 and
have the Cisco Discovery Protocol enabled.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Video Surveillance 3000 Series IP Cameras
Video Surveillance 4000 Series High-Definition IP Cameras
Video Surveillance 4300E High-Definition IP Cameras
Video Surveillance 4500E High-Definition IP Cameras
Video Surveillance 6000 Series IP Cameras
Video Surveillance 7000 Series IP Cameras
Video Surveillance PTZ IP Cameras
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco fixed this vulnerability in Cisco Video Surveillance 8000 Series IP
Camera firmware releases 1.0.9-5 and later.
To download the firmware from the Software Center on Cisco.com, do the
following:
1. Click Browse all.
2. Choose Connected Safety and Security > Video Surveillance IP Cameras >
Video Surveillance 8000 Series IP Cameras .
3. Choose the appropriate IP camera model.
4. Click Video Surveillance 8000 Series IP Camera Firmware.
5. Choose a release from the left pane of the product page.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank Qian Chen of Qihoo 360 Nirvan Team for reporting
this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-cdp-rcedos-mAHR8vNx
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-OCT-07 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX36Ji+NLKJtyKPYoAQiUSg/8DGDZBMYt9pS7X86a2XYp4O43q8964d+S
UjR+ReHURb2dkfd/2185gqAZU68D2CDBvfrCKnBBcwTzuGHnwk90CxFQKGizjdeZ
QxHt9phGRdCHhCfcoOU4qe7VvBuw96q5/tb9AngoBqNV0+FbmNsQdH2+LevoX3hn
d6LPdlLuHwG1ox/F3GQayp8EiLIaM2KmOgXcmfVEpbowIGIPKDhnOl39rjk0aW9d
3N5XsSpKApAjQqIXuzNRm42pzewzMf0R7SHGqzUu+k5eyrM2fcp1oIDajvXjOpwo
6RJdVdW3mczGxRGD15x8Z0X7NBoivXxx3pRPTtr8B1BaBbT77JNicA5Fy6uRwvcc
RGUW+0VtsMGuke4ee5epOyW+bn63X5PJ54WMyKhv6HId5uQl2D7qxNxrVzEcgyWW
oNLwNA9StaTXNscIFBGmLri24Pe5U9R6wmFHo9mFMDiVeY7eejNgV6DyBvUcOL/J
rCuo2Zy88K23YBTuZapXnaLsMHYJhEvAsP0KiIvHeM26T79UAbCH0VnZYMJlcns2
lBEv0GuqcUVGy1xZIb18rAscZZo97HzUswCy82JeKQjRcEyG6wab5Ns8MGeNo75U
r5jclTVphHRzZNlQgLeyESd8x5t5gT2JphMXaQfPnN18dxLadJtKOGhrvOpgojCB
iOAhlMiinKc=
=hRh1
-----END PGP SIGNATURE-----