Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
266
Views
0
Helpful
1
Replies

Room kit mini (USB) : ICMP Timestamp Request Remote Date Disclosure

arjan.de.goede
Level 1
Level 1

‎02-03-2025 12:48 AM

Hi, we have several Room Kit Mini USB systems connected to our network (just to view the status and update the firmware, since they are not enrolled in the webex environment, they are just used in BYOD mode.

Now our security department found several issues with them:

1. ICMP Timestamp Request Remote Date Disclosure:  The remote host answers to an ICMP timestamp request. This allows an
attacker to know the date that is set on the targeted machine, which
may assist an unauthenticated, remote attacker in defeating time-based
authentication protocols.

2. SSL Self-signed Certificate: The X.509 certificate chain for this service is not signed by a
recognized certificate authority. If the remote host is a public host
in production, this nullifies the use of SSL as anyone could establish
a man-in-the-middle attack against the remote host. 

3. HSTS Missing From HTTPS Server (RFC 6797)

The remote web server is not enforcing HSTS, as defined by RFC 6797.
HSTS is an optional response header that can be configured on the server to instruct
the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks,
SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

How can these things be fixed?  (of course I can update them to the latest firmware and disconnect them then from the network...)

Thanks !

 

 

 

0 Helpful
1 Reply 1

Wayne DeNardi
VIP
VIP

‎02-03-2025 08:05 PM

If you're not going to have them connected to the network and are just using them via USB-C cable as cameras/microphones/speakers, then you probably don't need to address any of those issues.

Items 1 and 3 you probably can't do much about - other than log a feature request with Cisco to have them look in to and address with a possible future software update.

Item 2 you could fix by installing a proper signed certificate on the device rather than using its default Self-Signed one.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

0 Helpful
Customers Also Viewed These Support Documents