Cisco Fixes Blank Admin Password Flaw in TelePresence Product

ID THREATPOST:88B11245A3132769E08918CF296AAE54
Type threatpost
Reporter Dennis Fisher
Modified 2013-11-12T15:32:47


Cisco has patched a number of vulnerabilities in several separate products, including a serious remote code execution flaw in its Wide Area Application Services Mobile software that could allow an attacker to take complete control of a vulnerable device.

Cisco also has patched a vulnerability in its TelePresence VX Clinical Assistant video conferencing system for health care environments. The fix closes a hole that enabled an attacker to login to the admin account using a blank password.

“A vulnerability in the WIL-A module of Cisco TelePresence VX Clinical Assistant could allow an unauthenticated, remote attacker to log in as the admin user of the device using a blank password,” the Cisco advisory said.

“The vulnerability is due to a coding error that resets the password for the admin user to a blank password on every reboot. An attacker could exploit this vulnerability by logging in to the administrative interface as the admin user with a blank password.”

Meanwhile, the WAAS Mobile vulnerability affects all versions of the software prior to 3.5.5, and the company has released a new version that includes a fix for the bug.

“The vulnerability is due to insufficient validation of user-supplied data in the body of an HTTP POST request. An attacker could exploit this vulnerability by crafting an HTTP POST request for content upload that would result in an uncontrolled directory traversal. An exploit could allow the attacker to execute arbitrary code on the WAAS Mobile server with the privileges of the IIS web server,” the Cisco advisory says.

“The vulnerable component belongs to the web management interface; however, in a deployment where more than one Cisco WAAS Mobile server is used then all the servers are vulnerable, not just the one performing the Manager role and hosting the web management interface.”

However, Cisco said that the flaw doesn’t affect any clients running the software, only servers.

The company also released a fix for a vulnerability in the SIP implementation in its IOS software, which runs on many of its servers and other devices. The bug could allow an attacker to cause a denial-of-service condition on a vulnerable device.

“The vulnerability is due to incorrect processing of specially crafted SIP messages. An attacker could exploit this vulnerability by sending specific valid SIP messages to the SIP gateway. An exploit could allow the attacker to trigger a memory leak or a device reload,” the advisory says.

Image from Flickr photos of Prayitno.