[NEWS] Multiple Remote Vulnerabilities in Polycom Videoconferencing Products

From: support@securiteam.com
Date: 09/06/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri,  6 Sep 2002 19:23:38 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Remote Vulnerabilities in Polycom Videoconferencing Products
------------------------------------------------------------------------

SUMMARY

Internet Security Systems (ISS) X-Force has discovered multiple
vulnerabilities in the Polycom ViewStation videoconferencing products. The
ViewStation devices are powered by a proprietary operating system that
includes Web, Telnet, and FTP servers.

DETAILS

Affected Versions:
 * Polycom ViewStation 128 version 7.2 and earlier
 * Polycom ViewStation H.323 version 7.2 and earlier
 * Polycom ViewStation 512 version 7.2 and earlier
 * Polycom ViewStation MP version 7.2 and earlier
 * Polycom ViewStation DCP version 7.2 and earlier
 * Polycom ViewStation V.35 version 7.2 and earlier
 * Polycom ViewStation FX/VS 4000 version 4.1.5 and earlier

Impact:
The vulnerable ViewStation products are susceptible to multiple attacks
that may allow individuals to gather information about the device,
retrieve files, crash the device, or monitor videoconferences.

Description:
The Polycom ViewStation is configured by default with a null or empty
password for the administrator account. Users are not prompted to supply a
new administrator password during the installation process. This account
allows users to configure and manage the device as well as establish
videoconference links. This password for this account cannot be changed
via the Web interface and can only be changed via the remote control.
Documentation on how to configure a password is provided in the "Optional
Configurations" section of the Polycom ViewStation User Guide.

The integrated Web and Telnet servers are vulnerable to multiple attacks.
By encoding Web requests in Unicode, attackers may retrieve information
from the Web server without authenticating. Attackers can use this
technique to retrieve the administrator password from a vulnerable
ViewStation. Once this password is obtained, remote attackers can take
control the device. This may allow unauthorized individuals to modify the
system configuration, destroy information, and record or monitor video
conferences.

The Polycom ViewStation camera is vulnerable to various types of denial of
service (DoS) attacks. The Telnet service may become unstable and crash
when multiple connection attempts are made. The Telnet service allows an
unlimited number of login attempts, which may expose it to a brute-force
attack. Remote attackers may be able to cause the camera to crash by
sending long or malformed ICMP packets.

Recommendations:
X-Force recommends that all Polycom ViewStation users configure strong
passwords on their devices and assess the general security of their
devices. If possible, ViewStation devices should reside behind a firewall.

Polycom has released software version 4.2 for the Polycom ViewStation
FX/VS4000. Polycom will be releasing a patch in September for the
ViewStation and ViewStation SP products. The beta release of this patch is
now available on the Polycom FTP site. Please refer to the Polycom
Worldwide Resource Center for more information.

ADDITIONAL INFORMATION

The original advisory can be viewed by going to:
 <http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21089>
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21089

The information has been provided by <mailto:xforce@iss.net> X-Force.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.