Cisco Security Advisory: Cisco Personal Assistant User Password Bypass Vulnerability

From: Cisco Systems Product Security Incident Response Team (
Date: 01/08/04

  • Next message: Matt Zimmerman: "[SECURITY] [DSA 418-1] New vbox3 packages fix privilege leak"
    Date: Thu, 08 Jan 2004 11:00:00 -0500

    Hash: SHA1

    Cisco Security Advisory: Cisco Personal Assistant User Password Bypass

    Document ID: 47765

    Revision 1.0 FINAL

    For Public Release 2004 January 8 17:00 UTC (GMT)

    - -----------------------------------------------------------------------


        Affected Products
        Software Versions and Fixes
        Obtaining Fixed Software
        Exploitation and Public Announcements
        Status of This Notice: FINAL
        Revision History
        Cisco Security Procedures

    - -----------------------------------------------------------------------


    Cisco Personal Assistant may permit unauthorized access to user
    configuration via the web interface. Once access is granted, user
    preferences and configuration can be manipulated.

    There is a workaround available and a software upgrade is not required
    to remove the vulnerability.

    This issue is documented in Cisco Bug ID CSCec87825.

    This advisory is available at

    Affected Products

    Cisco Personal Assistant versions 1.4(1) and 1.4(2) only are affected.
    Cisco Personal Assistant versions 1.3(x) and prior are not affected.

    No other Cisco products are affected by this vulnerability.

    To verify the version of Personal Assistant you are running, perform
    the following steps.

     1. Log in to Personal Assistant through the web interface.
     2. Browse to Help -> About Cisco Personal Assistant.
     3. Click the Details button and a window appears with the full version

    Cisco Personal Assistant is a Microsoft Windows 2000 based application
    and is part of the AVVID solution. For more information on Personal
    Assistant, see:

    This vulnerability is only present if both of the following conditions
    are met:

      * The Personal Assistant administrator has checked the "Allow Only
        Cisco CallManager Users" box through System -> Miscellaneous
      * The Personal Assistant Corporate Directory settings refer to the
        same directory service that is used by Cisco CallManager.
    If both of the above criteria are met, then password authentication to
    Personal Assistant user configuration is disabled. This allows anyone
    to enter a valid User ID with any password and the user will be
    authorized to make configuration changes to that account.

    The default setting for Personal Assistant is that the "Allow Only
    Cisco CallManager Users" box is unchecked.

    Users access Personal Assistant by browsing to the address


    where x.x.x.x is the IP address or hostname of the Personal Assistant

    This vulnerability does not affect access to Personal Assistant through
    the telephony interface. Users access the telephony interface by
    dialing the Personal Assistant extension. Personal Assistant uses the
    user's CallManager Extension Mobility PIN or the Unity Subscriber Phone
    Password to authenticate users through the telephony interface.

    This vulnerability is documented as Cisco bug ID CSCec87825


    This bug permits unauthorized configuration access to users' Personal
    Assistant settings. This vulnerability does not affect the system
    configuration of the Personal Assistant application.

    An attacker can modify the settings of a user, which can include
    modifying call routing to redirect calls for purposes of impersonation,
    or forwarding the user's number to a toll number, incurring charges.

    Software Versions and Fixes

    All vulnerabilities listed in this advisory can be removed through
    configuration of the Personal Assistant server. No software update is

    Obtaining Fixed Software

    As the fix for this vulnerability is a configuration change, a software
    upgrade is not required to address this vulnerability.

    If you need assistance with the implementation of the fix, or have
    questions regarding the fix, please contact the Cisco Technical
    Assistance Center (TAC).

    Cisco TAC contacts are as follows.

      * +1 800 553 2447 (toll free from within North America)
      * +1 408 526 7209 (toll call from anywhere in the world)
      * e-mail:
    See for
    additional TAC contact information, including special localized
    telephone numbers and instructions and e-mail addresses for use in
    various languages.

    Please do not contact either "" or
    "" for software upgrades.


    This vulnerability can be removed by de-selecting the checkbox "Allow
    Only Cisco CallManager Users" on the System -> Miscellaneous Settings
    page of the Personal Assistant Administration site.

    This workaround will have no effect on the behavior of the Personal
    Assistant as CallManager and Personal Assistant must be configured to
    use the same directory for this vulnerability to be present.
    Configuring "Allow Only CallManager Users" while having Personal
    Assistant and CallManager using the same directory is technically

    Exploitation and Public Announcements

    The Cisco PSIRT is not aware of any public announcements or malicious
    use of the vulnerability described in this advisory.

    Status of This Notice: FINAL

    This is a final notice. Although Cisco cannot guarantee the accuracy of
    all statements in this notice, all of the facts have been checked to
    the best of our ability. Cisco does not anticipate issuing updated
    versions of this advisory unless there is some material change in the
    facts. Should there be a significant change in the facts, Cisco will
    update this advisory.


    This advisory will be posted on Cisco's worldwide website at

    In addition to worldwide web posting, a text version of this notice is
    clear-signed with the Cisco PSIRT PGP key and is posted to the
    following e-mail and Usenet news recipients.

      * (includes CERT/CC)
      * Various internal Cisco mailing lists
    Future updates of this advisory, if any, will be placed on Cisco's
    worldwide website, but may or may not be actively announced on mailing
    lists or newsgroups. Users concerned about this problem are encouraged
    to check the above URL for any updates.

    Revision History

    | Revision | | Initial |
    | 1.0 | 08-Jannuary-2004 | Public |
    | | | Release |

    Cisco Security Procedures

    Complete information on reporting security vulnerabilities in Cisco
    products, obtaining assistance with security incidents, and registering
    to receive security information from Cisco, is available on Cisco's
    worldwide website at
    sec_incident_response.shtml. This includes instructions for press
    inquiries regarding Cisco security notices. All Cisco security
    advisories are available at

    - -----------------------------------------------------------------------
    All contents are Copyright 1992-2004 Cisco Systems, Inc. All rights
    - -----------------------------------------------------------------------

    Version: GnuPG v1.2.3 (SunOS)

    -----END PGP SIGNATURE-----

  • Next message: Matt Zimmerman: "[SECURITY] [DSA 418-1] New vbox3 packages fix privilege leak"