Close Widget

TL;DR

SureCloud identified two vulnerabilities in two Cisco products:

  • Cisco Vision Dynamic Signage Director Unauthenticated XSS (known as CVE-2021-34742)
  • Cisco Vision Digital Media Player Authenticated Path Traversal (low risk issue, no CVE assigned)

The following article aims to provide a technical overview of the identified vulnerabilities.

In-scope Components

Both devices are used in venues (airports, shops, fast food, etc.) to orchestrate digital content to hundreds of TV displays. Cisco Vision Dynamic Signage Director is the core component and Cisco Vision Digital Media Player is the endpoint device connected to the TV/Display.

Media Player:

Name: CV-DMP

Description: Cisco Vision Digital Media Player

Model: CV-HD2

Boot Version: 8.0.30

Boot Extra Version: 8.0.30

Firmware Version: 8.2.42

Figure 1: Digital Media Player – Image from cisco.com

Dynamic Signature Director:

Description: Cisco Vision Dynamic Signage Director

Version: 6.3.0

Build: 1108

Figure 2: Signature Director Web Interface – Image from cisco.com

 

CVE-2021-34742 (Unauthenticated Reflective XSS)

The Cisco Vision Dynamic Signage Director was found to be susceptible to an instance of reflective Cross-Site Scripting (XSS) exploitable from an unauthenticated perspective. Cross-Site-Scripting (XSS) is caused when an application echoes user controllable input data back to the browser without first sanitizing or escaping dangerous characters.

Vulnerable page: /CiscoVision/login.html
Vulnerable parameter: timeout
PoC URL: https://target_ip/CiscoVision/login.html?login_error=3&timeout=000%3Cscript%3Ealert(document.cookie);%3C/script%3E

Figure 3: Image showing the alert() JavaScript code executed within the browser

 

Additional information is available at: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cvdsd-xss-fvdj6HK

Authenticated Path Traversal

The Cisco Vision Digital Media Player was found to be susceptible to Path Traversal vulnerability, exploitable from an authenticated perspective. This issue happens when the application accepts input that is used as part of a filesystem operation. This input is not correctly validated, and a malicious user can enter the specified characters to cause the system to operate outside of the intended filesystem location. The vulnerable pages give access to the filesystem present in the MicroSD card by default, however, this can be overwritten to list or download any file within the root filesystem by simply using the following:

Vulnerable pages: /storage.html, /save
Vulnerable parameter: rp
List Content of /etc/ PoC request : http://target_ip/storage.html?rp=//etc
Download /etc/passwd file PoC request : http://target_ip/save?rp=//etc/passwd

Figure 4 : Image showing the content of the device’s /etc/ folder
Figure 5: Image showing the content of the device’s /etc/passwd file

 

Cisco PSIRT categorized this issue as low risk, and therefore a CVE was not assigned. Additional details are available at: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy84947

Disclosure Timeline:

27/05/2021: Bugs identified
29/05/2021: Technical documentation delivered to Cisco PSIRT
01/07/2021: Acknowledgment of internal triage
05/08/2021: Vendor request to postpone the disclosure
08/10/2021: Cisco released the public advisories
13/10/2021: This blog post published

How can we help?