|
|
|
|
| |
Credit:
The information has been provided by Florent Daigniere .
The original article can be found at: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b5b51d.shtml
|
| |
Vulnerable Systems:
* Cisco Unified Videoconferencing 5110 System
* Cisco Unified Videoconferencing 5115 System
* Cisco Unified Videoconferencing 5230 System
* Cisco Unified Videoconferencing 3545 System
* Cisco Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway
* Cisco Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway
* Cisco Unified Videoconferencing 3515 Multipoint Control Unit (MCU)
Hard-Coded Credentials in Cisco UVC Products
The Linux shadow password file contains three hard-coded usernames and passwords. The passwords cannot be changed, and the accounts cannot be deleted. Attackers could leverage these accounts to obtain remote access to a device by using permitted remote access protocols. This vulnerability only affects Linux-based operating system Cisco UVC products.
Remote Command Injection on the Web Interface in Cisco UVC Products
Several fields in the web server interface of Cisco UVC products are vulnerable to a shell command injection vulnerability. An administrator user who is authenticated to the web interface of Cisco UVC products could exploit this vulnerability to execute root-level commands on the Linux operating system. Exploitation of this vulnerability could result in a complete compromise of the device. This vulnerability affects Linux-based operating system Cisco UVC products. It may also affect VxWorks-based Cisco UVC products.
Weak Obfuscation of Credentials in Cisco UVC Products
An attacker who can obtain access to the Linux operating system could retrieve a file that is used to store the administrator and operator accounts of the Cisco UVC web GUI. The passwords in this file are obfuscated using an easily reversible hashing scheme. Exploit code that assists in recovering the passwords exists. This vulnerability affects only Linux-based operating system Cisco UVC products.
FTP Server Accessible by Default in Cisco UVC Products
The FTP server is enabled by default on Cisco UVC systems. An attacker can leverage the FTP server to exploit other vulnerabilities in this Cisco Security Response. Authentication is required to log into the device via the FTP server. This service misconfiguration affects both Linux-based operating system Cisco UVC products and VxWorks-based Cisco UVC products.
Shadow Password File has Read Permissions for All Users in Cisco UVC Products
The shadow password file should only be readable by the root account. Allowing read access to the shadow password file allows other users of the system with shell access to retrieve the shadow password file. An authenticated user who has access to the Linux operating system directories, may be able to retrieve the shadow password file. This service misconfiguration only affects Linux-based operating system Cisco UVC products.
Lock Down OpenSSH Configuration in Cisco UVC Products
The SSH server has a restricted shell, however the configuration of the SSH server allows for X.11 forwarding and socks proxies to be created. This service misconfiguration affects only Linux-based operating system Cisco UVC products.
Daemon That Binds the Port of the Web Interface Runs as root in Cisco UVC Products
If attackers exploit a flaw in a script that runs with root permissions, the attacker could gain write access to files, access the system, or cause a denial of service. This service misconfiguration affects only Linux-based operating system Cisco UVC products.
Weak Session IDs on the Web Interface in Cisco UVC Products
The Cisco UVC web interface has session IDs that are incremented based on a time counter. Having predictable session IDs, assists in the hijacking of user sessions. This vulnerability affects both Linux-based operating system Cisco UVC products and VxWorks-based Cisco UVC products.
Usage of Cookies to Store Credentials in Cisco UVC Products
On Linux-based Cisco UVC products, web interface credentials are stored in Base64 format in the cookie that is sent to a browser. On VxWorks-based Cisco UVC products, web interface credentials are stored in Base64 format or in clear text. This vulnerability affects both Linux-based operating system Cisco UVC products and VxWorks-based Cisco UVC products.
Patch Availability:
Consult http://www.cisco.com/go/psirt
to determine exposure and a complete upgrade solution.
Workaround:
Administrators can mitigate these vulnerabilities by limiting access to Cisco UVC web server to only trusted hosts.
CVE Information:
CVE-2010-3037
CVE-2010-3038
Disclosure Timeline:
2010-November-17 Revision 1.0
2010-December-06 Revision 1.1
|
|
|
|
|
