Cisco Unified Videoconferencing multiple security vulnerabilities
Published:		18.11.2010
Source:		BUGTRAQ
SecurityVulns ID:		11260
Type:		remote
Level:		8/10
Description:		Hardcoded user accounts, command execution, unauthorized access, password storing in reversible encryption, weak permissions, session hijacking, information leaks.

Affected:		CISCO : Cisco Unified Videoconferencing 5110
		CISCO : Cisco Unified Videoconferencing 5115
		CISCO : Cisco Unified Videoconferencing 5230
		CISCO : Cisco Unified Videoconferencing 3545
		CISCO : Cisco Unified Videoconferencing 3527
		CISCO : Cisco Unified Videoconferencing 3522
		CISCO : Cisco Unified Videoconferencing 3515
CVE:		CVE-2010-3038 (Cisco Unified Videoconferencing (UVC) System 5110 and 5115, when the Linux operating system is used, has a default password for the (1) root, (2) cs, and (3) develop accounts, which makes it easier for remote attackers to obtain access via the (a) FTP or (b) SSH daemon, aka Bug ID CSCti54008.)
		CVE-2010-3037 (goform/websXMLAdminRequestCgi.cgi in Cisco Unified Videoconferencing (UVC) System 5110 and 5115, and possibly Unified Videoconferencing System 3545 and 5230, Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway, Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway, and Unified Videoconferencing 3515 Multipoint Control Unit (MCU), allows remote authenticated administrators to execute arbitrary commands via the username field, related to a "shell command injection vulnerability," aka Bug ID CSCti54059.)

Original document		Florent Daigniere, Cisco Unified Videoconferencing multiple vulnerabilities - CVE-2010-3037 CVE-2010-3038 (18.11.2010)
		CISCO, Cisco Security Response: Multiple Vulnerabilities in Cisco Unified Videoconferencing Products (18.11.2010)

Discuss:

Read or add your comments to this news (0 comments)