Vulnerability Note VU#213486
LifeSize Room appliance authentication bypass and arbitrary code injection vulnerability
LifeSize Room appliance contains an authentication bypass and arbitrary code injection vulnerability when failing to sanitize input from unauthenticated clients.
According to LifeSize's website "LifeSize Room combines an immersive, high definition video experience with a rich set of features to deliver a powerful, flexible, and easy-to-use video communication solution."
The LifeSize Room appliance contains an embedded web interface that allows administrative access to the appliance. This web interface fails to sanitize input from unauthenticated clients leading to an authentication bypass and possibly arbitrary code injection.
A remote, unauthenticated attacker can bypass the authentication of the administrative web interface and possibly inject arbitrary code in the administrative system web interface.
Restrict network access
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Logitech||Affected||21 Jul 2011||19 Oct 2011|
CVSS Metrics (Learn More)
Thanks to Spencer McIntyre of SecureState for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: CVE-2011-2762 CVE-2011-2763
- Date Public: 29 Aug 2011
- Date First Published: 29 Aug 2011
- Date Last Updated: 19 Oct 2011
- Severity Metric: 1.36
- Document Revision: 26
If you have feedback, comments, or additional information about this vulnerability, please send us email.