ID

VAR-201011-0226

CVE

CVE-2010-3037

TITLE

plural Cisco UVC System Vulnerability to execute arbitrary commands in the product

DESCRIPTION

goform/websXMLAdminRequestCgi.cgi in Cisco Unified Videoconferencing (UVC) System 5110 and 5115, and possibly Unified Videoconferencing System 3545 and 5230, Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway, Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway, and Unified Videoconferencing 3515 Multipoint Control Unit (MCU), allows remote authenticated administrators to execute arbitrary commands via the username field, related to a "shell command injection vulnerability," aka Bug ID CSCti54059. Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. The script lacks proper filtering for multiple parameters, including but not limited to the \"username\" field. Obviously, the WEB service runs with ROOT privileges, which can lead to an attacker having complete control over the device. Cisco Unified Videoconferencing is prone to multiple remote command-injection vulnerabilities because it fails to properly sanitize user-supplied input. These issues are being tracked by Cisco bug ID CSCti54059. NOTE: These issues were previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but have been given their own record for better documentation. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. 1) Multiple hard-coded accounts exist ("root", "cs", and "develop") that cannot be disabled, which can be exploited to potentially gain access to the device via e.g. brute force attacks. Successful exploitation requires administrative credentials. using a brute force attack to iterate over all possible time values from last system boot time. sniffing network traffic or a Man-in-the-Middle (MitM) attack. NOTE: Additionally, some configuration issues exists in the FTP, Web, and OpenSSH servers. PROVIDED AND/OR DISCOVERED BY: Florent Daigniere, Matta Consulting. ORIGINAL ADVISORY: Matta (MATTA-2010-001): http://www.trustmatta.com/advisories/MATTA-2010-001.txt Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Matta Consulting - Matta Advisory http://www.trustmatta.com Cisco Unified Videoconferencing multiple vulnerabilities Advisory ID: MATTA-2010-001 CVE reference: CVE-2010-3037 CVE-2010-3038 Affected platforms: Cisco Unified Videoconferencing 3515,3522,3527,5230,3545, 5110,5115 Systems and unspecified Radvision systems Version: 7.0.1.13.3 at least and more likely all Date: 2010-August-03 Security risk: Critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Researcher: Florent Daigniere Vendor Status: Notified, working on a patch Vulnerability Disclosure Policy: http://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt Permanent URL: http://www.trustmatta.com/advisories/MATTA-2010-001.txt ===================================================================== Description: During an external pentest exercise for one of our clients, multiple vulnerabilities and weaknesses were found on the Cisco CUVC-5110-HD10 which allowed us to ultimately gain access to the internal network. - - Hard-coded credentials - CVE-2010-3038 Three accounts have a login shell and a password the administrator can neither disable nor change. The affected accounts are "root", "cs" and "develop". Matta didn't spend the CPU cycles required to get those passwords but will provide the salted hashes to interested parties. - - Services misconfiguration There is an FTP daemon (vsftpd) running but no mention in the documentation of what it might be useful for. User credentials created from the web-interface allow to explore the filesystem/firmware of the device. The file /etc/shadow has read permissions for all. The ssh daemon (openssh) has a non-default but curious configuration. It allows port-forwarding and socks proxies to be created, X11 to be forwarded... even with the restricted shells. The daemon binding the port of the web-interface is running as root. There are numerous ways of remotely gathering the remote time and uptime, the easiest being to ask over RPC... Assuming that a user or an administrator logged into the device shortly after it was powered up, and that the network connectivity is fast, it is practical to bruteforce a valid session id. Using this vulnerability, a non-authenticated attacker can authenticate. Over http in default configuration. While users are not expected to reuse their credentials, in practice they do; this is an information-disclosure bug. This is an information-disclosure bug. Best practices recommend using PBKDF2 to store passwords. ===================================================================== Impact If successful, a malicious third party can get full control of the device and harvest user passwords with little to no effort. The Attacker might reposition and launch an attack against other parts of the target infrastructure from there. All deployed versions are probably vulnerable. ===================================================================== Threat mitigation Until a patch is issued by the vendor, Matta recommends you unplug the device from its network socket. ===================================================================== Base64 encoded decryption script for the credentials: IyEvYmluL2Jhc2gKIyBTbWFsbCBzY3JpcHQgdG8gZGVvYmZ1c2NhdGUgQ2lzY28gQ1VWQy01MTEw LUhEMTAncyBwYXNzd29yZHMKIyBAc2VlIE1BVFRBLTIwMTAtMDAxCiMKIyAkMSBpcyB0aGUgb2Jm dXNjYXRlZCBwYXNzd29yZAojIGV4YW1wbGUgdXNhZ2U6CiMKIyAkLi9kZWNvZGUtcGFzc3dvcmQu c2ggZDVjNGQ2ZDZkMmNhZDdjMQojIHBhc3N3b3JkCiMKIwoKZWNobyAtbiAkMXxzZWQgJ3MvXCgu LlwpL1wxXG4vZyd8d2hpbGUgcmVhZCBsaW5lCmRvCgljYXNlICIkbGluZSIgaW4KCQljNCkgbD1h IDs7CgkJZTQpIGw9QSA7OwoJCWM3KSBsPWIgOzsKCQllNykgbD1CIDs7CgkJYzYpIGw9YyA7OwoJ CWU2KSBsPUMgOzsKCQljMSkgbD1kIDs7CgkJZTEpIGw9RCA7OwoJCWMwKSBsPWUgOzsKCQllMCkg bD1FIDs7CgkJYzMpIGw9ZiA7OwoJCWUzKSBsPUYgOzsKCQljMikgbD1nIDs7CgkJZTIpIGw9RyA7 OwoJCWNkKSBsPWggOzsKCQllZCkgbD1IIDs7CgkJY2MpIGw9aSA7OwoJCWVjKSBsPUkgOzsKCQlj ZikgbD1qIDs7CgkJZWYpIGw9SiA7OwoJCWNlKSBsPWsgOzsKCQllZSkgbD1LIDs7CgkJYzkpIGw9 bCA7OwoJCWU5KSBsPUwgOzsKCQljOCkgbD1tIDs7CgkJZTgpIGw9TSA7OwoJCWNiKSBsPW4gOzsK CQllYikgbD1OIDs7CgkJY2EpIGw9byA7OwoJCWRhKSBsPU8gOzsKCQlkNSkgbD1wIDs7CgkJZjUp IGw9UCA7OwoJCWQ0KSBsPXEgOzsKCQlmNCkgbD1RIDs7CgkJZDcpIGw9ciA7OwoJCWY3KSBsPVIg OzsKCQlkNikgbD1zIDs7CgkJZjYpIGw9UyA7OwoJCWQxKSBsPXQgOzsKCQlmMSkgbD1UIDs7CgkJ ZDApIGw9dSA7OwoJCWYwKSBsPVUgOzsKCQlkMykgbD12IDs7CgkJZjMpIGw9ViA7OwoJCWQyKSBs PXcgOzsKCQlmMikgbD1XIDs7CgkJZGQpIGw9eCA7OwoJCWZkKSBsPVggOzsKCQlkYykgbD15IDs7 CgkJZmMpIGw9WSA7OwoJCWRmKSBsPXogOzsKCQlmZikgbD1aIDs7CgoJCTk1KSBsPTAgOzsKCQk5 NCkgbD0xIDs7CgkJOTcpIGw9MiA7OwoJCTk2KSBsPTMgOzsKCQk5MSkgbD00IDs7CgkJOTApIGw9 NSA7OwoJCTkzKSBsPTYgOzsKCQk5MikgbD03IDs7CgkJOWQpIGw9OCA7OwoJCTljKSBsPTkgOzsK CQkqKSAgbD0/OzsKCWVzYWMKCWVjaG8gLW4gIiRsIjsKZG9uZQplY2hvICIiCg== ===================================================================== Credits This vulnerability was discovered and researched by Florent Daigniere from Matta Consulting. Thank you to Paul Oxman and Matthew Cerha from the Cisco PSIRT for the coordination effort. ===================================================================== History 30-07-10 initial discovery 05-08-10 our client has mitigated the risk for his infrastructure ... 23-08-10 initial attempt to contact the vendor 23-08-10 sent pre-advisory to the vendor PSIRT on psirt@cisco.com using PGP id 0xCF14FEE0 23-08-10 reply from the vendor, case PSIRT-0217563645 is open ... 21-09-10 agreement on the public disclosure date ... 08-11-10 planned disclosure date (missed), CVE assignments ... 17-11-10 public disclosure ===================================================================== About Matta Matta is a privately held company with Headquarters in London, and a European office in Amsterdam. Established in 2001, Matta operates in Europe, Asia, the Middle East and North America using a respected team of senior consultants. Matta is an accredited provider of Tigerscheme training; conducts regular research and is the developer behind the webcheck application scanner, and colossus network scanner. http://www.trustmatta.com http://www.trustmatta.com/webapp_va.html http://www.trustmatta.com/network_va.html ===================================================================== Disclaimer and Copyright Copyright (c) 2010 Matta Consulting Limited. All rights reserved. This advisory may be distributed as long as its distribution is free-of-charge and proper credit is given. Matta Consulting disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Matta Consulting or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Matta Consulting or its suppliers have been advised of the possibility of such damages. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Response: Multiple Vulnerabilities in Cisco Unified Videoconferencing Products http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml Revision 1.0 For Public Release 2010 November 17 1600 UTC (GMT) +--------------------------------------------------------------------- Cisco Response ============== This is the Cisco Product Security Incident Response Team (PSIRT) response to a posting entitled "Cisco Unified Videoconferencing multiple vulnerabilities" by Florent Daigniere of Matta Consulting regarding vulnerabilities in the Cisco Unified Videoconferencing (Cisco UVC) 5100 series products. The original report is available at the following links: http://seclists.org/fulldisclosure/2010/Nov/167 http://www.trustmatta.com/advisories/MATTA-2010-001.txt Cisco would like to thank Florent Daigniere of Matta Consulting for reporting these vulnerabilities to us. Cisco greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports. All versions of system software prior to the first fixed, which is indicated in the Software Version and Fixes Table, are affected. To view the version of system software that is currently running on Cisco Unified Videoconferencing 5100 Series Products, access the Cisco UVC device via the web GUI interface. On the status screen, the "Software Version" field below the "Product Information" section indicates the current system software. Details for Reported Vulnerabilities ==================================== Hard-Coded Credentials in Cisco UVC Products +------------------------------------------- The Linux shell contains three hard-coded usernames and passwords. The passwords cannot be changed, and the accounts cannot be deleted. Attackers could leverage these accounts to obtain remote access to a device by using permitted remote access protocols. This vulnerability only affects Linux-based operating system Cisco UVC products. Exploitation of this vulnerability could result in a complete compromise of the device. This vulnerability affects Linux-based operating system Cisco UVC products. It may also affect VxWorks-based Cisco UVC products. The passwords in this file are obfuscated using an easily reversible hashing scheme. Exploit code that assists in recovering the passwords exists. This vulnerability affects only Linux-based operating system Cisco UVC products. FTP Server Accessible by Default in Cisco UVC Products +----------------------------------------------------- The FTP server is enabled by default on Cisco UVC systems. An attacker can leverage the FTP server to exploit other vulnerabilities in this Cisco Security Response. Authentication is required to log into the device via the FTP server. FTP access to the device can be controlled via the "Security mode" field of the Cisco UVC products web GUI. If the Security setting is configured as "High" or "Maximum," the device will not accept FTP connections. For further information, consult the Configuration Guide for Cisco Unified Videoconferencing 5000 MCU Release 7.0 at the following link: http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479 This service misconfiguration affects both Linux-based operating system Cisco UVC products and VxWorks-based Cisco UVC products. Shadow Password File has Read Permissions for All Users in Cisco UVC Products +---------------------------------------------------------------------------- The shadow password file should only be readable by the root account. Allowing read access to the shadow password file allows other users of the system with shell access to retrieve the shadow password file. An authenticated user who has access to the Linux operating system directories, may be able to retrieve the shadow password file. This service misconfiguration only affects Linux-based operating system Cisco UVC products. Lock Down OpenSSH Configuration in Cisco UVC Products +---------------------------------------------------- The SSH server has a restricted shell, however the configuration of the SSH server allows for X.11 forwarding and socks proxies to be created. This service misconfiguration affects only Linux-based operating system Cisco UVC products. Daemon That Binds the Port of the Web Interface Runs as root in Cisco UVC Products In the event that all attacker exploits a flaw in a script running with root's permissions that allows them to write to files, gain access to the system or cause a denial of service. This service misconfiguration affects only Linux-based operating system Cisco UVC products. Weak Session IDs on the Web Interface in Cisco UVC Products +---------------------------------------------------------- The Cisco UVC web interface has session IDs that are incremented based on a time counter. Having predictable session IDs, assists in the hijacking of user sessions. This vulnerability affects both Linux-based operating system Cisco UVC products and VxWorks-based Cisco UVC products. Usage of Cookies to Store Credentials in Cisco UVC Products +---------------------------------------------------------- On Linux-based Cisco UVC products, web interface credentials are stored in Base64 format in the cookie that is sent to a browser. On VxWorks-based Cisco UVC products, web interface credentials are stored in Base64 format or in clear text. This vulnerability affects both Linux-based operating system Cisco UVC products and VxWorks-based Cisco UVC products. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. All Cisco UVC software versions prior to the first fixed software release, which is indicated in the following table, are affected by the associated vulnerabilities. This software table will be updated as software fixes become available. +---------------------------------------+ | Linux Cisco UVC Operating System | | Versions | |---------------------------------------| | Product: | First Fixed | | | Release | |-------------------+-------------------| | | Currently no | | Cisco Unified | fixed code | | Videoconferencing | available. | | 5110 and 5115 | Contact your | | Systems | support | | | organization. | |---------------------------------------| | VxWorks Cisco UVC Operating System | | Versions | |---------------------------------------| | Product: | First Fixed | | | Release | |-------------------+-------------------| | | Currently no | | Cisco Unified | fixed code | | Videoconferencing | available. | | 5230 System: | Contact your | | | support | | | organization. | | 3545 System: | Contact your | | | support | | | organization. | | 3515 MCU: | Contact your | | | support | | | organization. | | 3522 BRI Gateway: | Contact your | | | support | | | organization. | | 3527 PRI Gateway: | Contact your | | | support | | | organization. | +---------------------------------------+ Workarounds =========== There are no workarounds for the vulnerabilities that are described in this Cisco Security Response. Administrators can mitigate these vulnerabilities by limiting access to Cisco UVC web server to trusted hosts by disabling FTP, SSH, and Telnet services and by setting the "Security mode" field in the "Security" section of the Cisco UVC web GUI to "Maximum." For further information, consult the Configuration Guide for Cisco Unified Videoconferencing 5000 MCU Release 7.0 at the following link: http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479 THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Status of this Notice: INTERIM ============================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE.YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2010-November-17 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAkzj6GAACgkQQXnnBKKRMNBMtwEAhEp+BKb+iRvXhPCBw/SGJSjx mM5ljSrDefGSCtlhkawA/Ap85VdNrVcb3lVWb5rtXoqGbrqDnDozK6DGKejmQd8M =f751 -----END PGP SIGNATURE-----

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

code injection

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Florent Daigniere

SOURCES

LAST UPDATE DATE

2025-04-11T22:54:09.149000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE