A failure in the final QA validation step of the automated software build system for the Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) software inadvertently allowed a set of sample, dormant exploit code used internally by Cisco in validation scripts to be included in shipping software images. This includes an exploit for the Dirty CoW vulnerability (CVE-2016-5195). The purpose of this QA validation step is to make sure the Cisco product contains the required fixes for this vulnerability.
The presence of the sample, dormant exploit code does not represent nor allow an exploitable vulnerability on the product, nor does it present a risk to the product itself as all of the required patches for this vulnerability have been integrated into all shipping software images.
The affected software images have proactively been removed from the Cisco Software Center and will soon be replaced with fixed software images. Bug ID CSCvn17278 has been opened to track this issue.
This advisory is available at the following link:
Security Impact Rating: Informational
Source:: Cisco Security Advisories