Computer Security
[EN] securityvulns.ru no-pyccku


Cisco IP Phones unauthorized access
Published:21.02.2007
Source:
SecurityVulns ID:7275
Type:remote
Threat Level:
7/10
Description:It's possible to access web interface without password. There is built-in hardcoded user account with SSH access.
Affected:CISCO : Cisco Unified IP Conference Station 7935
 CISCO : Cisco Unified IP Conference Station 7936
 CISCO : Cisco Unified IP Phone 7906G
 CISCO : Cisco Unified IP Phone 7911G
 CISCO : Cisco Unified IP Phone 7941G
 CISCO : Cisco Unified IP Phone 7961G
 CISCO : Cisco Unified IP Phone 7970G
 CISCO : Cisco Unified IP Phone 7971G
CVE:CVE-2007-1072 (The command line interface (CLI) in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier allows local users to obtain privileges or cause a denial of service via unspecified vectors. NOTE: this issue can be leveraged remotely via CVE-2007-1063.)
 CVE-2007-1063 (The SSH server in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier, uses a hard-coded username and password, which allows remote attackers to access the device.)
 CVE-2007-1062 (The Cisco Unified IP Conference Station 7935 3.2(15) and earlier, and Station 7936 3.3(12) and earlier does not properly handle administrator HTTP sessions, which allows remote attackers to bypass authentication controls via a direct URL request to the administrative HTTP interface for a limited time)
Original documentdocumentCISCO, Cisco Security Advisory: Cisco Unified IP Conference Station and IP Phone Vulnerabilities (21.02.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod