[NEWS] Cisco Personal Assistant User Password Bypass Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 01/11/04
- Previous message: SecuriTeam: "[NT] Windows FTP Server Format String Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 11 Jan 2004 12:02:49 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Personal Assistant User Password Bypass Vulnerability
------------------------------------------------------------------------
SUMMARY
Cisco Personal Assistant may permit unauthorized access to user
configuration via the web interface. Once access is granted, user
preferences and configuration can be manipulated.
There is a workaround available and a software upgrade is not required to
remove the vulnerability.
This issue is documented in Cisco Bug ID CSCec87825.
DETAILS
Affected Products:
Cisco Personal Assistant versions 1.4(1) and 1.4(2) only are affected.
Cisco Personal Assistant versions 1.3(x) and prior are not affected.
No other Cisco products are affected by this vulnerability.
To verify the version of Personal Assistant you are running, perform the
following steps.
1. Log in to Personal Assistant through the web interface.
2. Browse to Help -> About Cisco Personal Assistant.
3. Click the Details button and a window appears with the full version
number.
Details:
Cisco Personal Assistant is a Microsoft Windows 2000 based application and
is part of the AVVID solution. For more information on Personal Assistant,
see:
<http://www.cisco.com/en/US/partner/products/sw/voicesw/ps2026/index.html>
http://www.cisco.com/en/US/partner/products/sw/voicesw/ps2026/index.html
This vulnerability is only present if both of the following conditions are
met:
* The Personal Assistant administrator has checked the "Allow Only Cisco
CallManager Users" box through System -> Miscellaneous Settings.
* The Personal Assistant Corporate Directory settings refer to the same
directory service that is used by Cisco CallManager.
If both of the above criteria are met, then password authentication to
Personal Assistant user configuration is disabled. This allows anyone to
enter a valid User ID with any password and the user will be authorized to
make configuration changes to that account.
The default setting for Personal Assistant is that the "Allow Only Cisco
CallManager Users" box is unchecked.
Users access Personal Assistant by browsing to the address
http://x.x.x.x/pauseradmin where x.x.x.x is the IP address or hostname of
the Personal Assistant server.
This vulnerability does not affect access to Personal Assistant through
the telephony interface. Users access the telephony interface by dialing
the Personal Assistant extension. Personal Assistant uses the user's
CallManager Extension Mobility PIN or the Unity Subscriber Phone Password
to authenticate users through the telephony interface.
Impact:
This bug permits unauthorized configuration access to users' Personal
Assistant settings. This vulnerability does not affect the system
configuration of the Personal Assistant application.
An attacker can modify the settings of a user, which can include modifying
call routing to redirect calls for purposes of impersonation, or
forwarding the user's number to a toll number, incurring charges.
Software Versions and Fixes:
All vulnerabilities listed in this advisory can be removed through
configuration of the Personal Assistant server. No software update is
required.
Obtaining Fixed Software:
As the fix for this vulnerability is a configuration change, a software
upgrade is not required to address this vulnerability.
If you need assistance with the implementation of the fix, or have
questions regarding the fix, please contact the Cisco Technical Assistance
Center (TAC).
Cisco TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
See <http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml>
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional
TAC contact information, including special localized telephone numbers and
instructions and e-mail addresses for use in various languages.
Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds:
This vulnerability can be removed by de-selecting the checkbox "Allow Only
Cisco CallManager Users" on the System -> Miscellaneous Settings page of
the Personal Assistant Administration site.
This workaround will have no effect on the behavior of the Personal
Assistant as CallManager and Personal Assistant must be configured to use
the same directory for this vulnerability to be present. Configuring
"Allow Only CallManager Users" while having Personal Assistant and
CallManager using the same directory is technically redundant.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Windows FTP Server Format String Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
