CVE-2019-1721

Cisco Expressway Series and Cisco TelePresence Video Communication Server Denial of Service Vulnerability

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the phone book feature of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to cause the CPU to increase to 100% utilization, causing a denial of service (DoS) condition on an affected system. The vulnerability is due to improper handling of the XML input. An attacker could exploit this vulnerability by sending a Session Initiation Protocol (SIP) message with a crafted XML payload to an affected device. A successful exploit could allow the attacker to exhaust CPU resources, resulting in a DoS condition. Manual intervention may be required to recover the device. This vulnerability is fixed in Cisco Expressway Series and Cisco TelePresence Video Communication Server Releases X12.5.1 and later.

Una vulnerabilidad en la función phone book de Expressway Series y TelePresence Video Communication Server (VCS) de Cisco podría permitir que un atacante remoto autorizado haga que la CPU aumente al 100% de utilización, lo que causa una condición de denegación de servicio (DoS) en un sistema afectado. La vulnerabilidad es debido a un manejo inadecuado de la entrada XML. Un atacante podría aprovechar esta vulnerabilidad enviando un mensaje de Protocolo de Inicio de Sesión (SIP) con una carga XML creada a un dispositivo afectado. Una explotación con éxito podría permitirle al atacante agotar los recursos de la CPU, lo que resultaría en una condición DoS. Puede requerirse intervención manual para recuperar el dispositivo. Esta vulnerabilidad se corrigió en las versiones de Expressway Series y TelePresence Video Communication Server de Cisco X12.5.1 y posteriores.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-12-06 CVE Reserved
2019-04-18 CVE Published
2023-03-07 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (2)

URL	Tag	Source
http://www.securityfocus.com/bid/108016	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-es-tvcs-dos	2020-10-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Telepresence Video Communication Server Search vendor "Cisco" for product "Telepresence Video Communication Server"				< x12.5.1 Search vendor "Cisco" for product "Telepresence Video Communication Server" and version " < x12.5.1"		-		Affected