Cisco Security Advisory - Cisco TelePresence Collaboration Endpoint Software Information Disclosure Vulnerability

[Netwörkheäd]

Cisco TelePresence Collaboration Endpoint Software Information Disclosure Vulnerability

A vulnerability in the video endpoint API (xAPI) of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, remote attacker to gain access to sensitive information on an affected device.

The vulnerability is due to improper storage of sensitive information on an affected device. An attacker could exploit this vulnerability by accessing information that should not be accessible to users with low privileges. A successful exploit could allow the attacker to gain access to sensitive information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tele-info-DrEGLpDQ

     
         
Security Impact Rating:  Medium
   
   
       
CVE: CVE-2020-26086
Source: Cisco TelePresence Collaboration Endpoint Software Information Disclosure Vulnerability

[Dieselboy]

I have a few of these devices.

What sort of "sensitive information" would be disclosed? I'm curious because to set these devices up in the webex cloud, all I do is enter in the code generated from the cloud. This then applies the device within a room and is given a name which I specify.

In terms of normal usage, people walk into the room and they are discovered using high frequency sound waves (ultrasound). Their webex software picks up the sound and then they are paired with that device.

The devices are used normally via audio and video calls and whiteboarding. The persons names appear on the device when paired.

[deanwebb]

It's an authenticated remote attacker, so I'm presuming it's a privilege escalation that would allow admin access to stored calls.