A software security flaw in popular the videoconferencing suite Cisco TelePresence System could enable a remote attacker to access the web server with full administrator rights. Cisco announced the flaw on its website and provided a workaround, noting that a patch will be released at a future date.
According to the company, the vulnerability stems from a software feature that creates a default user account at installation. An attacker could then use these default credentials to access the underlying web server as a fully privileged administrator.
“Cisco TelePresence System Software includes a password recovery administrator account that is enabled by default,” the company noted. “Successful exploitation of this vulnerability could allow a remote attacker to use these default credentials to modify the system configuration and settings and take full control of the affected system. An attacker could use this account to modify the system configuration and settings via an HTTPS session.”
Among the affected systems are Cisco TelePresence System Series 500, 13X0, 1X00, 3X00, and 30X0 running software versions 1.10.1 and prior, as is the TX 9X00 Series running software versions 6.0.3 and prior. Cisco rated the vulnerability with a CVSS base score of 10.0, the most critical rating, due the low access complexity and the complete impact on confidentiality. Customers can work around the flaw by reconfiguring the default administrator password, as detailed on the Cisco website.
As telepresence and unified communication technologies become an increasingly common feature on enterprise networks, such tools will continue to provide a potential attack vector for business systems and introduce new security risks. In January, for instance, researchers at Columbia University discovered a flaw in Cisco VoIP phones that would enable remote eavesdropping without detection.
Given consumer concerns about communications privacy, ensuring that systems such as videoconferencing suites and VoIP phones are as secure as possible is essential for manufacturers to maintain user trust. With tools such as static analysis software and approaches such as peer code review, vendors can catch errors and design flaws during development, allowing them to mitigate threats down the line.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.