back to article Cisco TelePresence control software had remote-exploitable bug

Cisco has turned up a packet fragmentation issue in its TelePresence Multipoint Control Unit software that opens up a denial-of-service and remote code execution vulnerability. Announced here, the bug has been patched, but if you need time to install the fix, you can configure the TelePresence system to run in “transcoded” …


    Vid Conf is a mess

    The whole legacy video Telepresense style Conf technolgy is a messy. The H323 protocols were not designed to play nice with firewalls and Network Address Translation. For calls inside the company H323 work just fine. Call setup uses a central server called a gatekeeper who knows who can do what, and approves each call. Your MCU will talk to the Gatekeeper and say, "if you want to mix video sources, I can do that". Your ISDN gateway will talk to the Gatekeeper and say, "If you want to use the phone lines/ISDN, I can do that". Ad hoc calls between companies works very badly. By default Gatekeepers do not assume trust, and do-not co-operate. Both system admin need to manually set up the trust in thier gatekeepers . caller by caller. In very simple setup you can bypass the server to call direct, if there is no NAT, no firewall, and no ISDN and no MCU.

    If you remember Netmeeting - it was in direct mode. But when you got a 192 - 172 - 10 address, you stopped getting calls. Thats the NAT issue.

    But between companies, there will be NAT, and you probaby want to accept phone calls into the meeting, at least sometimes.

    In practice, if you have an MCU, it probably not anywhere in the network where it can get contacted by strangers. All MCU appliciances I have seen are rebranded RadVision.

    If your MCU audio message says in English "press the pound sign" - its Cisco/Codian/Tandberg/Radvision and likely to have the security issue.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019