CVE-2017-3792 Cisco CVE debrief

Who should care

Administrators and security teams responsible for Cisco TelePresence MCU 5300 Series, TelePresence MCU MSE 8510, and TelePresence MCU 4500 deployments, especially systems running TelePresence MCU Software 4.3(1.68) or later with Passthrough content mode enabled.

Technical summary

Cisco and NVD describe a vulnerability in a proprietary device driver in the kernel of Cisco TelePresence MCU Software. The issue is improper size validation when reassembling fragmented IPv4 or IPv6 packets. Crafted fragments sent to a port receiving content in Passthrough content mode may overflow a buffer. NVD lists CWE-20 and a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, consistent with remote unauthenticated impact.

Defensive priority

Urgent: the issue is remotely reachable, requires no authentication, and is scored CVSS 9.8 with potential for both code execution and DoS.

Recommended defensive actions

• Identify whether any Cisco TelePresence MCU 5300 Series, MSE 8510, or 4500 systems are running affected TelePresence MCU Software releases and whether Passthrough content mode is enabled.
• Apply Cisco's software updates that address the vulnerability as soon as practical.
• Use Cisco's published mitigations if immediate patching is not possible.
• Review exposure to the affected content-receiving ports and limit network access to the MCU where feasible.
• Prioritize validation of every deployed MCU software build against the Cisco advisory and NVD CPE/version mapping.

Evidence notes

Cisco's advisory and the NVD record both describe unauthenticated remote exploitation via crafted IPv4/IPv6 fragments against a kernel device driver. The supplied corpus attributes the issue to improper input validation (CWE-20), reports CVSS 3.0 9.8, and states that software updates are available while workarounds are not available, though mitigations exist.

Official resources