Cisco warns of flaws in videoconferencing code

Summary:A number of vulnerabilities have been discovered in Cisco's Unified Videoconferencing products that could allow attackers to gain user passwords and remotely access and control the systems

Cisco has warned of critical security vulnerabilities in its videoconferencing products that could allow attackers to harvest user passwords and take over systems.

Cisco publicly disclosed six critical flaws in the security architecture of its videoconferencing systems on Wednesday.

The security vulnerabilities affect Cisco Unified Videoconferencing (UVC) 3515, 3522, 3527, 5230, 3545, 5110 and 5115 systems. A hacker can use a combination of vulnerabilities to gain root access on the system, the company said in a security advisory.

The passwords are hard-coded into Cisco systems and so cannot be changed or disabled by administrators, Cisco said. Hackers can use the passwords to remotely log in to the devices and gain access to internal networks.

There is no patch available at present, but Cisco is working on updates, it said. To mitigate the flaws administrators can limit access to the UVC web server to trusted hosts by disabling file transfer protocol (FTP), Secure Shell (SSH) and teletype network (Telnet) services and then setting the security mode field in the security section of the UVC administrator screen to 'maximum', according to Cisco.

Florent Daigniere, a researcher with security company Matta Consulting, discovered the flaw in July. The vulnerabilities mean that "a malicious third party can get full control of the device and harvest user passwords with little to no effort. The attacker might reposition and launch an attack against other parts of the target infrastructure from there", Daigniere wrote in a security advisory on Wednesday.

Matta Consulting's advice to those affected is that "until a patch is issued by [Cisco], Matta recommends you unplug the device from its network socket". Dagniere said that unspecified Radvision products may also be affected.

Topics: Security


Jack Clark has spent the past three years writing about the technical and economic principles that are driving the shift to cloud computing. He's visited data centers on two continents, quizzed senior engineers from Google, Intel and Facebook on the technologies they work on and read more technical papers than you care to name on topics f... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.