|
|
|
|
| |
Credit:
The original article can be found at: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4659
|
| |
.Vulnerable Systems:
*Cisco IP Video Phone E20 devices that have been upgraded to TE 4.1.0
Cisco TelePresence TE Software historically has contained a single account that acted as both admin and root. This single super account utilized the same password for both the admin and root authentication and was always enabled. With the introduction of TE 4.1.0, an architectural change was made to help harden the devices by allowing administrators to disable the root account. The intended result of this change is to separate the super account into two accounts, root and admin, while subsequently disabling the root account by default.
It was found that in many cases, customers upgrading from a previous release of TE software to TE 4.1.0 are likely to experience an error condition in which the root account is not properly disabled. This creates a situation in which the root account is accessible via SSH with a default password. It was subsequently discovered that the command implemented to allow an administrator to enable or disable the root account does not function correctly.
Vendor Status:
Cisco has issued an update to correct this vulnerability
Patch Availability:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120118-te
CVE Information:
CVE-2011-4659
Disclosure Timeline:
2012-January-18 Initial Public Release
|
|
|
|
|
