382 lines
No EOL
15 KiB
Text
382 lines
No EOL
15 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA256
|
|
|
|
Cisco Security Advisory: Default Credentials for Root Account on
|
|
Tandberg E, EX and C Series Endpoints
|
|
|
|
Advisory ID: cisco-sa-20110202-tandberg
|
|
|
|
Revision 1.0
|
|
|
|
For Public Release 2011 February 2 1600 UTC (GMT)
|
|
|
|
+---------------------------------------------------------------------
|
|
|
|
Summary
|
|
=======
|
|
|
|
Tandberg C Series Endpoints and E/EX Personal Video units that are
|
|
running software versions prior to TC4.0.0 ship with a root
|
|
administrator account that is enabled by default with no password. An
|
|
attacker could use this account in order to modify the application
|
|
configuration or operating system settings.
|
|
|
|
Resolving this default password issue does not require a software
|
|
upgrade and can be changed or disabled by a configuration command for
|
|
all affected customers. The workaround detailed in this document
|
|
demonstrates how to disable the root account or change the password.
|
|
|
|
This advisory is posted at
|
|
http://www.cisco.com/warp/public/707/cisco-sa-20110202-tandberg.shtml.
|
|
|
|
Affected Products
|
|
=================
|
|
|
|
Vulnerable Products
|
|
+------------------
|
|
|
|
This vulnerability affects Tandberg C Series Endpoints and E/EX
|
|
Personal Video units, including software that is running on the C20,
|
|
C40, C60, C90, E20, EX60, and EX90 codecs. The software version of
|
|
the Tandberg unit can be determined by logging into the web-based
|
|
user interface (UI) or using the "xStatus SystemUnit" command.
|
|
|
|
Users can determine the Tandberg software version by entering the IP
|
|
address of the codec in a web browser, authenticating (if the device
|
|
is configured for authentication), and then selecting the "system
|
|
info" menu option. The version number is displayed after the
|
|
"Software Version" label in the System Info box.
|
|
|
|
Alternatively the software version can be determined from the
|
|
device's application programmer interface using the "xStatus
|
|
SystemUnit" command. The software version running on the codec is
|
|
displayed after the "SystemUnit Software Version" label. The output
|
|
from "xStatus SystemUnit" will display a result similar to the
|
|
following:
|
|
|
|
xStatus SystemUnit
|
|
*s SystemUnit ProductType: "Cisco TelePresence Codec"
|
|
*s SystemUnit ProductId: "Cisco TelePresence Codec C90"
|
|
*s SystemUnit ProductPlatform: "C90"
|
|
*s SystemUnit Uptime: 597095
|
|
*s SystemUnit Software Application: "Endpoint"
|
|
*s SystemUnit Software Version: "TC4.0"
|
|
*s SystemUnit Software Name: "s52000"
|
|
*s SystemUnit Software ReleaseDate: "2010-11-01"
|
|
*s SystemUnit Software MaxVideoCalls: 3
|
|
*s SystemUnit Software MaxAudioCalls: 4
|
|
*s SystemUnit Software ReleaseKey: "true"
|
|
*s SystemUnit Software OptionKeys NaturalPresenter: "true"
|
|
*s SystemUnit Software OptionKeys MultiSite: "true"
|
|
*s SystemUnit Software OptionKeys PremiumResolution: "true"
|
|
*s SystemUnit Hardware Module SerialNumber: "B1AD25A00003"
|
|
*s SystemUnit Hardware Module Identifier: "0"
|
|
*s SystemUnit Hardware MainBoard SerialNumber: "PH0497201"
|
|
*s SystemUnit Hardware MainBoard Identifier: "101401-3 [04]"
|
|
*s SystemUnit Hardware VideoBoard SerialNumber: "PH0497874"
|
|
*s SystemUnit Hardware VideoBoard Identifier: "101560-1 [02]"
|
|
*s SystemUnit Hardware AudioBoard SerialNumber: "N/A"
|
|
*s SystemUnit Hardware AudioBoard Identifier: ""
|
|
*s SystemUnit Hardware BootSoftware: "U-Boot 2009.03-65"
|
|
*s SystemUnit State System: Initialized
|
|
*s SystemUnit State MaxNumberOfCalls: 3
|
|
*s SystemUnit State MaxNumberOfActiveCalls: 3
|
|
*s SystemUnit State NumberOfActiveCalls: 1
|
|
*s SystemUnit State NumberOfSuspendedCalls: 0
|
|
*s SystemUnit State NumberOfInProgressCalls: 0
|
|
*s SystemUnit State Subsystem Application: Initialized
|
|
*s SystemUnit ContactInfo: "helpdesk () company com"
|
|
** end
|
|
|
|
Products Confirmed Not Vulnerable
|
|
+--------------------------------
|
|
|
|
No other Cisco products are currently known to be affected by these
|
|
vulnerabilities.
|
|
|
|
Details
|
|
=======
|
|
|
|
Tandberg devices are part of the Cisco TelePresence Systems that
|
|
provide Cisco TelePresence endpoints for immersive environments,
|
|
conference rooms, individual desktops and home offices. The C Series
|
|
Endpoints are typically deployed as Multipurpose Room Systems and the
|
|
E/EX Personal Video units are desktop devices.
|
|
|
|
These devices contain a root user that is enabled for advanced
|
|
debugging that is unnecessary during normal operations. The root
|
|
account is not the same as the admin and user accounts. The root user
|
|
is enabled by default in software versions prior to TC 4.0.0. The
|
|
default configuration prior to TC 4.0.0 does not set a password for
|
|
the root user.
|
|
|
|
When a device is upgraded to TC 4.0.0, the root user is disabled.
|
|
System software for Tandberg C Series Endpoints and E/EX Personal
|
|
Video units is available for download at:
|
|
|
|
http://www.tandberg.com/support/video-conferencing-software-download.jsp?t=2
|
|
|
|
For instructions on how to set a root password or disable the root
|
|
user on other software versions, see the workaround section of this
|
|
advisory.
|
|
|
|
This vulnerability has been assigned the CVE ID CVE-2011-0354.
|
|
|
|
Vulnerability Scoring Details
|
|
=============================
|
|
|
|
Cisco has provided scores for the vulnerabilities in this advisory
|
|
based on the Common Vulnerability Scoring System (CVSS). The CVSS
|
|
scoring in this Security Advisory is done in accordance with CVSS
|
|
version 2.0.
|
|
|
|
CVSS is a standards-based scoring method that conveys vulnerability
|
|
severity and helps determine urgency and priority of response.
|
|
|
|
Cisco has provided a base and temporal score. Customers can then
|
|
compute environmental scores to assist in determining the impact of
|
|
the vulnerability in individual networks.
|
|
|
|
Cisco has provided an FAQ to answer additional questions regarding
|
|
CVSS at:
|
|
|
|
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
|
|
|
|
|
|
Cisco has also provided a CVSS calculator to help compute the
|
|
environmental impact for individual networks at:
|
|
|
|
http://intellishield.cisco.com/security/alertmanager/cvss
|
|
|
|
* Root account enabled by default with no password
|
|
|
|
CVSS Base Score - 10
|
|
Access Vector - Network
|
|
Access Complexity - Low
|
|
Authentication - None
|
|
Confidentiality Impact - Complete
|
|
Integrity Impact - Complete
|
|
Availability Impact - Complete
|
|
|
|
CVSS Temporal Score - 8.3
|
|
Exploitability - Functional
|
|
Remediation Level - Official-Fix
|
|
Report Confidence - Confirmed
|
|
|
|
|
|
Impact
|
|
======
|
|
|
|
Successful exploitation of the vulnerability may allow an
|
|
unauthorized user to modify the application configuration and the
|
|
operating system settings or gain complete administrative control of
|
|
the device.
|
|
|
|
Software Versions and Fixes
|
|
===========================
|
|
|
|
When considering software upgrades, also consult
|
|
http://www.cisco.com/go/psirt
|
|
and any subsequent advisories to determine exposure and a
|
|
complete upgrade solution.
|
|
|
|
In all cases, customers should exercise caution to be certain the
|
|
devices to be upgraded contain sufficient memory and that current
|
|
hardware and software configurations will continue to be supported
|
|
properly by the new release. If the information is not clear, contact
|
|
the Cisco Technical Assistance Center (TAC) or your contracted
|
|
maintenance provider for assistance.
|
|
|
|
Workarounds
|
|
===========
|
|
|
|
The root user is disabled in the default configuration starting in
|
|
the TC4.0.0 software version. To disable the root account, an
|
|
administrator should log in to the applications programmer interface
|
|
and use the command "systemtools rootsettings off" to temporarily
|
|
disable the account, or the command "systemtools rootsettings never"
|
|
to permanently disable the root user.
|
|
|
|
The root user is enabled for advanced debugging. If the root user is
|
|
needed, the password should be configured when the account is
|
|
enabled. This can be done through the command "systemtools
|
|
rootsettings on [password]".
|
|
|
|
Devices running software version TC 4.0.0 or later
|
|
|
|
The root user is disabled in the default configuration starting in
|
|
the TC4.0.0 software version. To disable the root account, an
|
|
administrator should log in to the applications programmer interface
|
|
and use the command "systemtools rootsettings off" to temporarily
|
|
disable the account, or the command "systemtools rootsettings never"
|
|
to permanently disable the root user.
|
|
|
|
The root user is enabled for advanced debugging. If the root user is
|
|
needed, the password should be configured when the account is
|
|
enabled. This can be done through the command "systemtools
|
|
rootsettings on [password]".
|
|
|
|
The default configuration of devices running TC4.0.0 does not contain
|
|
a password for the administrator account. The password for the
|
|
administrator account should be set with the command "xCommand
|
|
SystemUnit AdminPassword Set Password: [password].
|
|
|
|
Devices running software versions prior to TC 4.0.0
|
|
|
|
The root user cannot be disabled on devices running software versions
|
|
prior to TC4.0.0. The password for the root account is the same as
|
|
the administrator password. The administrator password is set with
|
|
the command "xCommand SystemUnit AdminPassword Set Password:
|
|
[password]".
|
|
|
|
Obtaining Fixed Software
|
|
========================
|
|
|
|
Cisco has released free software updates that address these
|
|
vulnerabilities. Prior to deploying software, customers should
|
|
consult their maintenance provider or check the software for feature
|
|
set compatibility and known issues specific to their environment.
|
|
|
|
Customers may only install and expect support for the feature sets
|
|
they have purchased. By installing, downloading, accessing or
|
|
otherwise using such software upgrades, customers agree to be bound
|
|
by the terms of Cisco's software license terms found at
|
|
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
|
|
or as otherwise set forth at Cisco.com Downloads at
|
|
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
|
|
|
|
Do not contact psirt () cisco com or security-alert () cisco com for
|
|
software upgrades.
|
|
|
|
Customers with Service Contracts
|
|
+-------------------------------
|
|
|
|
Customers with contracts should obtain upgraded software through
|
|
their regular update channels. For most customers, this means that
|
|
upgrades should be obtained through the Software Center on Cisco's
|
|
worldwide website at http://www.cisco.com.
|
|
|
|
Customers using Third Party Support Organizations
|
|
+------------------------------------------------
|
|
|
|
Customers whose Cisco products are provided or maintained through
|
|
prior or existing agreements with third-party support organizations,
|
|
such as Cisco Partners, authorized resellers, or service providers
|
|
should contact that support organization for guidance and assistance
|
|
with the appropriate course of action in regards to this advisory.
|
|
|
|
The effectiveness of any workaround or fix is dependent on specific
|
|
customer situations, such as product mix, network topology, traffic
|
|
behavior, and organizational mission. Due to the variety of affected
|
|
products and releases, customers should consult with their service
|
|
provider or support organization to ensure any applied workaround or
|
|
fix is the most appropriate for use in the intended network before it
|
|
is deployed.
|
|
|
|
Customers without Service Contracts
|
|
+----------------------------------
|
|
|
|
Customers who purchase direct from Cisco but do not hold a Cisco
|
|
service contract, and customers who purchase through third-party
|
|
vendors but are unsuccessful in obtaining fixed software through
|
|
their point of sale should acquire upgrades by contacting the Cisco
|
|
Technical Assistance Center (TAC). TAC contacts are as follows.
|
|
|
|
* +1 800 553 2447 (toll free from within North America)
|
|
* +1 408 526 7209 (toll call from anywhere in the world)
|
|
* e-mail: tac () cisco com
|
|
|
|
Customers should have their product serial number available and be
|
|
prepared to give the URL of this notice as evidence of entitlement to
|
|
a free upgrade. Free upgrades for non-contract customers must be
|
|
requested through the TAC.
|
|
|
|
Refer to
|
|
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
|
|
for additional TAC contact information, including localized telephone
|
|
numbers, and instructions and e-mail addresses for use in various
|
|
languages.
|
|
|
|
Exploitation and Public Announcements
|
|
=====================================
|
|
|
|
This vulnerability has been discussed in the article "Hacking and
|
|
Securing the Tandberg C20" published in Volume 27, Number 3 of the
|
|
2600 Magazine.
|
|
|
|
Status of this Notice: FINAL
|
|
============================
|
|
|
|
This information is Cisco Highly Confidential - Do not redistribute.
|
|
|
|
THIS IS A DRAFT VERSION OF A SECURITY NOTICE THAT CONTAINS UNRELEASED
|
|
INFORMATION ABOUT CISCO PRODUCTS. DISTRIBUTION WITHIN CISCO IS
|
|
LIMITED TO PERSONNEL WITH A NEED TO KNOW. THIS DRAFT MAY CONTAIN
|
|
ERRORS OR OMIT IMPORTANT INFORMATION.
|
|
|
|
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
|
|
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
|
|
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
|
|
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
|
|
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
|
|
DOCUMENT AT ANY TIME.
|
|
|
|
Distribution
|
|
============
|
|
|
|
This advisory is posted on Cisco's worldwide website at:
|
|
|
|
http://www.cisco.com/warp/public/707/cisco-sa-20110202-tandberg.shtml
|
|
|
|
In addition to worldwide web posting, a text version of this notice
|
|
is clear-signed with the Cisco PSIRT PGP key and is posted to the
|
|
following e-mail and Usenet news recipients.
|
|
|
|
* cust-security-announce () cisco com
|
|
* first-bulletins () lists first org
|
|
* bugtraq () securityfocus com
|
|
* vulnwatch () vulnwatch org
|
|
* cisco () spot colorado edu
|
|
* cisco-nsp () puck nether net
|
|
* full-disclosure () lists grok org uk
|
|
* comp.dcom.sys.cisco () newsgate cisco com
|
|
|
|
Future updates of this advisory, if any, will be placed on Cisco's
|
|
worldwide website, but may or may not be actively announced on
|
|
mailing lists or newsgroups. Users concerned about this problem are
|
|
encouraged to check the above URL for any updates.
|
|
|
|
Revision History
|
|
================
|
|
|
|
+---------------------------------------+
|
|
| Revision | | Initial |
|
|
| 1.0 | 2011-Feb-02 | public |
|
|
| | | release. |
|
|
+---------------------------------------+
|
|
|
|
Cisco Security Procedures
|
|
=========================
|
|
|
|
Complete information on reporting security vulnerabilities in Cisco
|
|
products, obtaining assistance with security incidents, and
|
|
registering to receive security information from Cisco, is available
|
|
on Cisco's worldwide website at
|
|
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
|
|
This includes instructions for press inquiries regarding Cisco security notices.
|
|
All Cisco security advisories are available at
|
|
http://www.cisco.com/go/psirt.
|
|
|
|
+--------------------------------------------------------------------
|
|
All contents are Copyright 2011-2007 Cisco Systems, Inc. All rights
|
|
reserved.
|
|
+--------------------------------------------------------------------
|
|
|
|
Updated: Feb 02, 2011 Document ID: 112247
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
|
|
|
|
iF4EAREIAAYFAk1JjBQACgkQQXnnBKKRMNDwoAD/drZn3b3jiAKxHxsn8YUdNzOu
|
|
KgtSit4dAjrrKx41AXkA/29dkXOf0nZu4y00cBHOGhKMkyj5DAZrkT6aqyvgnZmA
|
|
=4vVm
|
|
-----END PGP SIGNATURE----- |