CVE-2020-3143
📋 TL;DR
This directory traversal vulnerability in Cisco TelePresence video endpoint software allows authenticated attackers to read and write arbitrary files on affected devices. Attackers need either In-Room Control or administrator credentials to exploit it. The vulnerability affects Cisco TelePresence Collaboration Endpoint, TelePresence Codec, and RoomOS software.
💻 Affected Systems
- Cisco TelePresence Collaboration Endpoint (CE) Software
- Cisco TelePresence Codec (TC) Software
- Cisco RoomOS Software
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to read sensitive configuration files, write malicious files, modify system settings, and potentially achieve remote code execution.
Likely Case
Unauthorized access to sensitive configuration files, credential theft, and modification of system settings leading to service disruption.
If Mitigated
Limited impact due to proper access controls, network segmentation, and monitoring preventing successful exploitation.
🎯 Exploit Status
Exploitation requires valid credentials but the vulnerability itself is straightforward directory traversal
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple fixed versions depending on product - see Cisco advisory
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-telepresence-path-tr-wdrnYEZZ
Restart Required: Yes
Instructions:
1. Check Cisco advisory for exact affected versions. 2. Upgrade to fixed versions: CE Software 9.15.1 or later, TC Software 7.3.14 or later, RoomOS Software. 3. Apply patches through Cisco's standard update process. 4. Restart affected devices.
🔧 Temporary Workarounds
Restrict xAPI Access
allLimit access to the xAPI interface to trusted networks and users only
Credential Management
allImplement strong password policies and regularly rotate credentials for In-Room Control and administrator accounts
🧯 If You Can't Patch
- Implement network segmentation to isolate TelePresence devices from critical systems
- Monitor xAPI access logs for suspicious directory traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check device software version against affected versions listed in Cisco advisoryCheck Version:
Check device web interface or use SSH to check version informationVerify Fix Applied:
Verify software version has been updated to fixed versions specified in Cisco advisory📡 Detection & Monitoring
Log Indicators:
- Unusual xAPI requests with directory traversal patterns (../ sequences)
- Multiple failed authentication attempts followed by successful xAPI access
- File access patterns outside normal operational directories
Network Indicators:
- xAPI requests containing path traversal sequences
- Unusual file transfer patterns from TelePresence devices
SIEM Query:
source="telepresence_logs" AND (message="*../*" OR message="*xAPI*" AND (message="*read*" OR message="*write*"))