Vulnerability Summary
The WannaCry ransomware takes advantage of flaws in Microsoft’s implementation of the SMBv1 protocol. Poly’s currently released appliances and endpoints are not vulnerable to WannCrypt because they use a variant of Linux or Android.
Poly has a legacy provisioning and management server called CMA which was Windows-based. Customers with the CMA may wish to transition from their existing CMA by upgrading to Poly’s RealPresence Resource Manager to avoid the potential for WannaCry.
There is no risk from WannaCry in current Poly appliances and endpoints.
Details
CVE 2017-0146
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.
CVE 2017-0147
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packet, aka "Windows SMB Information Disclosure Vulnerability."
Published
Last Update: 3/14/2022
Initial Public Release: 5/16/2017
Advisory ID: PLYGN17-02
CVE ID: CVE-2017-0146
CVSS Score: 8.3
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID: CVE-2017-0147
CVSS Score: 5.9
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Solution
No action is necessary.
Workaround
There is no workaround.
Contact
Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Poly Technical Support – (888) 248-4143, (916) 928-7561, or visit the Poly Support Site.
Revision History
VERSION | DATE | DESCRIPTION |
---|---|---|
1.0 | 5/16/2017 | Initial Release |
1.1 | 8/10/2017 | Updated verbiage for clarity based on customer feedback |
2.0 | 3/14/2022 | Format Changes |
©2022 Plantronics, Inc. All rights reserved.
Trademarks
Poly, the propeller design, and the Poly logo are trademarks of Plantronics, Inc. All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express written permission of Poly.
Disclaimer
While Poly uses reasonable efforts to include accurate and up-to-date information in this document, Poly makes no warranties or representations as to its accuracy. Poly assumes no liability or responsibility for any typographical errors, out of date information, or any errors or omissions in the content of this document. Poly reserves the right to change or update this document at any time. Individuals are solely responsible for verifying that they have and are using the most recent Technical Bulletin.
Limitation of Liability
Poly and/or its respective suppliers make no representations about the suitability of the information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall Poly and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive, or other damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of business information), even if Poly has been advised of the possibility of such damages.