A patch is available to fix a vulnerability that can lead to denial-of-service (DoS) attacks in the Cisco Videoscape Distribution Suite for Internet Streaming (VDS-IS), but not yet for the Cisco Videoscape Distribution Suite Service Broker (VDS-SB) product.
The patch for Cisco VDS-IS users is to update to versions 3.3.1 R7, 4.0.0 R4 and 4.1.1. However, as far as VDS-SB goes, there is no patch or workaround that mitigates the flaw.
Cisco said it is not aware of instances in which the vulnerability ended up exploited for malicious purposes. The Cisco Technical Assistance Center discovered the hole while investigating an user issue.
Cisco Videoscape Distribution Suite for Internet Streaming (VDS-IS), formerly known as Cisco Content Delivery System for Internet Streaming (CDS-IS), distributes, caches and delivers managed content across multiple devices. Cisco Videoscape Distribution Suite Service Broker (VDS SB) performs client request routing in a multiple Content Delivery Network (CDN) environment.
Cisco said a vulnerability caused by improper input validation (CVE-2015-0725) exists in the HTTP processing module of these products. The flaw allows a remote, unauthenticated attacker to cause a reload of the affected device — a DoS condition — by sending it a specially crafted HTTP request.
“Successful exploitation of the vulnerability could allow the attacker to trigger device instability and could cause a device to reload. Repeated exploitation could result in a sustained DoS condition,” Cisco said in its advisory.
The vulnerability affects all versions of Cisco VDS-IS and CDS-IS prior to 3.3.1 R7 and 4.0.0 R4. The bug also impacts all versions of Cisco VDS-SB configured as Videoscape Delivery Suite Service Manager (VDSM) and running on the Cisco Unified Computing System (UCS) platform.