CiscoCISCO-SA-20150316-CVE-2015-0660Cisco Virtual TelePresence Server Serial Console Privileged Access Vulnerability
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
5.1%
A vulnerability in Cisco Virtual TelePresence Server Software could allow an authenticated, local attacker to access the shell of the underlying operating system with the privilege level of the root user.
The vulnerability is due to undocumented privileged access through the serial connection, which is available via the vSphere controller. An attacker could exploit this vulnerability to obtain privileged access to the underlying operating system. The attacker would need to have administrative privileges on the vSphere controller. An exploit could allow the attacker to access the underlying operating system with the privileges of the root user. Cisco TelePresence Server Software for appliances is not affected by this vulnerability.
Cisco has confirmed the vulnerability and released software updates.
To exploit this vulnerability, an attacker must authenticate and have local access to the targeted system. These requirements may reduce the likelihood of a successful exploit.
Cisco indicates through the CVSS score that functional code exists; however, the code is not known to be publicly available.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| cisco | telepresence_server_software | any | cpe:2.3:a:cisco:telepresence_server_software:any:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
5.1%