There is a series of vulnerabilities in Cisco’s Unified Videoconferencing product, including a hardcoded password for several powerful accounts that can’t be changed or deleted. That bug and others disclosed Wednesday can be used to gain complete control of the device and possibly compromise other parts of the internal network.
Cisco warned its customers about the videoconferencing vulnerabilities in an advisory and acknowledged that the password bug can’t be addressed by a patch and there’s no readily available fix for it. The password vulnerability, which is the most severe of the bugs identified this week by Matta Consulting, is only present on systems running Linux operating systems.
“The Linux shell contains three hard-coded usernames and passwords. The
passwords cannot be changed, and the accounts cannot be deleted. Attackers
could leverage these accounts to obtain remote access to a device by using
permitted remote access protocols. This vulnerability only affects Linux-based operating system Cisco UVC
products,” Cisco’s advisory said.
In its advisory on the Cisco flaws, which also include remote command injection, an FTP server accessible by default and weak obfuscation of credentials, Matta said that it discovered the Cisco videoconferencing vulnerabilities during a penetration testing engagement. The company warns that the hardcoded password bug can be used as a jumping-off point for further attacks.
“Three accounts have a login shell and a password the administrator can neither disable nor change. The affected accounts are “root”, “cs” and “develop”. Matta didn’t spend the CPU cycles required to get those passwords but will provide the salted hashes to interested parties. The credentials can be used against both the FTP and the SSH daemon running on the device,” Matta’s advisory said. “If successful, a malicious third party can get full control of the device and
harvest user passwords with little to no effort. The Attacker might reposition and launch an attack against other parts of the target infrastructure from there.”
Cisco UVC 5110 and 5115 on Linux are affected, and Cisco UVC 5230, 3545, 3527, 3522 and 3515 on VxWorks are affected.
Cisco warned that there are no fixes available for any of the vulnerabilities identified by Matta and it did not provide a time line for when patches might be ready. There also are no workaround for the vulnerabilities, which affect Cisco UVC running on Linux or VxWorks systems.
Among the other vulnerabilities in the Cisco UVC software are bugs affecting the permissions on the shadow password file, the SSH server and session IDs and cookies.