SB2021082303 - Multiple vulnerabilities in Cisco Expressway Series and TelePresence Video Communication Server

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2021-34715)

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to insufficient validation of the content of upgrade packages. A remote administrator can upload a malicious archive to the Upgrade page and execute arbitrary code on the target system.

2) Improper Cleanup on Thrown Exception (CVE-ID: CVE-2021-34716)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to incorrect handling of certain crafted software images that are uploaded to the affected device. A remote administrator can upload specially crafted software images and execute arbitrary code on the underlying operating system. 

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewver-c6WZPXRx
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewrce-QPynNCjh