Improper Restriction of Operations within the Bounds of a Memory Buffer
Vulnerability Summary
A vulnerability was discovered in the firmware build 5.0.9.3 of CCX 500. A flaw in the certificate validation process could allow a MitM attack.
Details
CVE 2018-15128 - Improper Restriction of Operations within the Bounds of a Memory Buffer
An issue was discovered in Polycom Group Series 6.1.6.1 and earlier, HDX 3.1.12 and earlier, and Pano 1.1.1 and earlier. A remote code execution vulnerability exists in the content sharing functionality because of a Buffer Overflow via crafted packets.
Poly released a firmware update to address this vulnerability. There is no workaround.
Published
Last Update: 3/14/2022
Initial Public Release: 11/1/2018
Advisory ID: PLYTV18-11
CVE ID: CVE-2018-15128
CVSS Score: 9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Product Affected
| PRODUCTS | FIRMWARE | FIX |
|---|---|---|
| Group Series | 6.1.3 6.1.4 6.1.5 6.1.6 |
6.1.7 and later |
| HDX | 3.1.12 |
3.1.13 and later |
| Pano | 1.1.1 |
1.2.1 and later |
Solution
Poly recommends customers upgrade to the respective firmware builds or later.
Workaround
There is no workaround.
Contact
Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Poly Technical Support – (888) 248-4143, (916) 928-7561, or visit the Poly Support Site.
RECOGNITION
Poly would like to thank Frank Cozijnsen from KPN for reporting security vulnerabilities to us and for their coordinated disclosure.
Revision History
| VERSION | DATE | DESCRIPTION |
|---|---|---|
| 1.0 | 11/1/2018 | Initial Release |
| 2.0 | 3/14/2022 | Format Changes |