An information disclosure vulnerability has been discovered in the web application functionality of Polycom’s RealPresence Debut endpoint. This vulnerability could allow a remote attacker to gain administrator access to Debut’s web UI. In addition, it was discovered that the admin session cookie for Debut’s web application interface is only updated when the Debut is rebooted.
CVE 2018-10946 - Debut Exposure of Sensitive Information to an Unauthorized Actor
A vulnerability exists in the certificate validation process due to improper validation checks. An attacker could use this vulnerability to carry out a MitM attack, which could compromise the confidentiality of the information with the device and potentially leak critical information.
CVE 2018-10947 – Debut Improper Input Validation
An issue was discovered in versions earlier than 1.3.2 for Polycom RealPresence Debut where the admin cookie is reset only after a Debut is rebooted.
Poly released a firmware update to address this vulnerability.
Last Update: 3/14/2022
Initial Public Release: 5/10/2018
Advisory ID: PLYTV18-03
CVE ID: CVE- 2018-10946
CVSS Score: 6.8
CVE ID: CVE- 2018-10947
CVSS Score: 3.3
Prior to 1.3.2
|1.3.2 and above|
Poly recommends customers upgrade to firmware build 1.3.2 or later.
Poly recommends following standard best practices for Unified Communications, as detailed in our best practices paper.
Poly would like to thank Malte Buhse and Lionne-Jeremias Stangier for reporting security vulnerabilities to us and for their coordinated disclosure.