Trio Devices - Incorrect Permission Assignment for Critical Resource
Vulnerability Summary
A weakness was identified in the Polycom Trio Bluetooth stack which could allow an attacker to use the Trio’s microphone to record sound remotely without authentication or notification of the user.
Details
CVE 2018-14934 – Trio Incorrect Permission Assignment for Critical Resource
The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone.
Poly released a firmware update to address this vulnerability. There is no workaround.
Published
Last Update: 3/14/2022
Initial Public Release: 11/1/2018
Advisory ID: PLYVC18-09
CVE ID: CVE-2018-14934
CVSS Score: 6.5
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Product Affected
| PRODUCTS | FIRMWARE | FIX |
|---|---|---|
| Trio | Prior to UC Software 5.5.4 |
Poly UC Software 5.7.2 |
Solution
Poly recommends customers upgrade to firmware build 5.7.2 or later.
Workaround
There is no workaround.
Contact
Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Poly Technical Support – (888) 248-4143, (916) 928-7561, or visit the Poly Support Site.
RECOGNITION
Poly would like to thank Phil Wilcox from Cyberis Ltd. for reporting security vulnerabilities to us and for their coordinated disclosure.
Revision History
| VERSION | DATE | DESCRIPTION |
|---|---|---|
| 1.0 | 11/1/2018 | Initial Release |
| 2.0 | 3/14/2022 | Format Changes |