Link to home
Start Free TrialLog in
Avatar of iwstechuser
iwstechuserFlag for United States of America

asked on

Cisco Meeting Place Express - PCI scan failure

Looking for some help here - we run Cisco Meeting Place Express v2.1.1.2.  We are working on PCI compliance and this site consistently fails.  The scan results are below:


Synopsis : The remote Flash media server is affected by multiple vulnerabilities. Description : The remote host is running Adobe's Flash Media Server, an application server for Flash-based applications. The Edge server component included with the version of Flash Media Server installed on the remote host contains several integer overflow and memory corruption errors that can be triggered when parsing specially-crafted Real Time Message Protocol (RTMP) packets. An unauthenticated remote attacker can leverage these issues to crash the affected service or execute arbitrary code with SYSTEM-level privileges (under Windows), potentially resulting in a complete compromise of the affected host. See also : http://labs.idefense.com/intelligence/vu lnerabilities/display.php?id=662 http://labs.idefense.com/intelligence/vu lnerabilities/display.php?id=663 http://archives.neohapsis.com/archives/b ugtraq/2008-02/0180.html http://archives.neohapsis.com/archives/b ugtraq/2008-02/0184.html http://www.adobe.com/support/security/bu lletins/apsb08-03.html http://www.adobe.com/support/documentati on/en/flashmediaserver/205/FMS_2_0_5_Relea seNotes.pdf Solution: Upgrade to Flash Media Server 2.0.5 or later. Risk Factor: Critical  / CVSS Base Score : 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE : CVE-2007-6431, CVE-2007-6148, CVE-2007-6149 BID : 27762 Other references : OSVDB:41538, OSVDB:41539, OSVDB:41540, Secunia:28946 [More]

Synopsis : The remote media server is affected by multiple vulnerabilities. Description : The remote host is running Adobe Flash Media Server, an application server for Flash-based applications. The version running on the remote host is earlier than version 3.5.3. Such versions are potentially affected by the following vulnerabilities : - A resource exhaustion vulnerability can lead to a denial of service. (CVE-2009-3791) - A directory traversal vulnerability can lead to FMS loading arbitrary DLLs present on the server. (CVE-2009-3792) See also : http://www.adobe.com/support/security/bu lletins/apsb09-18.html Solution: Upgrade to Flash Media Server 3.5.3 or later. Risk Factor: Critical  / CVSS Base Score : 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE : CVE-2009-3791, CVE-2009-3792 BID : 37419, 37420 Other references : Secunia:37891, OSVDB:61241, OSVDB:61242 [More]

Synopsis : The remote Flash media server is affected by multiple vulnerabilities. Description : The remote host is running Adobe's Flash Media Server, an application server for Flash-based applications. The Edge server component included with the version of Flash Media Server installed on the remote host contains several integer overflow and memory corruption errors that can be triggered when parsing specially-crafted Real Time Message Protocol (RTMP) packets. An unauthenticated remote attacker can leverage these issues to crash the affected service or execute arbitrary code with SYSTEM-level privileges (under Windows), potentially resulting in a complete compromise of the affected host. See also : http://labs.idefense.com/intelligence/vu lnerabilities/display.php?id=662 http://labs.idefense.com/intelligence/vu lnerabilities/display.php?id=663 http://archives.neohapsis.com/archives/b ugtraq/2008-02/0180.html http://archives.neohapsis.com/archives/b ugtraq/2008-02/0184.html http://www.adobe.com/support/security/bu lletins/apsb08-03.html http://www.adobe.com/support/documentati on/en/flashmediaserver/205/FMS_2_0_5_Relea seNotes.pdf Solution: Upgrade to Flash Media Server 2.0.5 or later. Risk Factor: Critical  / CVSS Base Score : 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE : CVE-2007-6431, CVE-2007-6148, CVE-2007-6149 BID : 27762 Other references : OSVDB:41538, OSVDB:41539, OSVDB:41540, Secunia:28946 [More]

Synopsis : The remote media server has a privilege escalation vulnerability. Description : The remote host is running Adobe Flash Media Server, an application server for Flash-based applications. The version running on the remote host has an unspecified RPC vulnerability. This can reportedly be exploited to execute remote procedures within an server-side ActionScript file running on the server. See also : http://www.adobe.com/support/security/bu lletins/apsb09-05.html Solution: Upgrade to Flash Media Server 3.5.2  / 3.0.4 or later. Risk Factor: High  / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE : CVE-2009-1365 BID : 34790 Other references : OSVDB:54265, Secunia:34878 [More]

Synopsis : The remote media server has a privilege escalation vulnerability. Description : The remote host is running Adobe Flash Media Server, an application server for Flash-based applications. The version running on the remote host has an unspecified RPC vulnerability. This can reportedly be exploited to execute remote procedures within an server-side ActionScript file running on the server. See also : http://www.adobe.com/support/security/bu lletins/apsb09-05.html Solution: Upgrade to Flash Media Server 3.5.2  / 3.0.4 or later. Risk Factor: High  / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE : CVE-2009-1365 BID : 34790 Other references : OSVDB:54265, Secunia:34878 [More]



Has anyone else run into this issue or can anyone point me in the direction to resolving it.  We have contacted Cisco - they provided a patch to us but after applying the patch we had more vulnerabilities than before.  If anyone has any suggestions or needs more let me know.
Avatar of astralcomputing
astralcomputing

Couple of thoughts:
1. Why are you running Cisco Meeting place on your PCI required system?
2. Mostly what this is telling you is that you need to upgrade your flash media server, however this apparently did not help.
3. The issue with this apparently stems from the Adobe Flash server, not actually from Cisco even though Cisco is using the flash.

Verify your current version of flash if you can.

To verify the Adobe Flash Media Server version, launch the Flash Media Server Administration console, click the Manage Servers > License tab, and note the release version.

Please reply and I'll try to help if I can.



Avatar of iwstechuser

ASKER

Just to clarify - we are not running this on our PCI compliant segment but since the site is externally accessible we have to have it scanned quarterly.  I'll provide the Flash version as soon as I can - thanks!
ASKER CERTIFIED SOLUTION
Avatar of ngravatt
ngravatt
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ok. When you get it, perhaps you can contact Adobe directly and see if they have anything for you. Meantime I'll check around and see what I can come up with.