Release Notes
Resolved issues
Cisco TelePresence Conductor Release Notes (XC2.3.1) Page 9 of 21
Firewall rules
Firewall rules can now be added to the TelePresence Conductor, which provide the ability to configure IP
table rules to control access to the TelePresence Conductor at the IP level.
Addition of multiple administrator accounts
It is now possible to add multiple administrator accounts with pre-determined access level settings.
Other changes and improvements
Improvements have been made to the TelePresence Conductor web interface.
Resolved issues
Resolved in XC2.3.1
The following issues were found in previous releases and were resolved in XC2.3.1:
Identifier Description
CSCur05556 Symptom: An unauthenticated attacker can bypass the web UI authentication check and gain
access to the administration web UI.
Conditions: The attacker must possess a specially crafted web cookie.
Workaround: There is no workaround, but the attack surface can be reduced by disabling web
access from outside the enterprise.
CSCur02103 Symptoms: TelePresence Conductor includes a version of Bash that is affected by the
vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
n CVE-2014-6271
n CVE-2014-6277
n CVE-2014-6278
n CVE-2014-7169
n CVE-2014-7186
n CVE-2014-7187
This bug has been opened to address the potential impact on this product.
Conditions: The API over HTTP(S) or/and SSH but authentication is required to exploit this
vulnerability.
Workaround: Configure firewall rules on TelePresence Conductor (using feature on
TelePresence Conductor) to deny HTTP(S) and SSH access from unknown IP address (or/and
address range)
If TelePresence Conductor is behind the firewall, manage SSH/HTTP(S) traffic to TelePresence
Conductor products.
Resolved in XC2.3
The following issues were found in previous releases and were resolved in XC2.3: