Cisco warns of flaws in videoconferencing code

Cisco has warned of critical security vulnerabilities in its videoconferencing products that could allow attackers to harvest user passwords and take over systems.

Cisco publicly disclosed six critical flaws in the security architecture of its videoconferencing systems on Wednesday.

The security vulnerabilities affect Cisco Unified Videoconferencing (UVC) 3515, 3522, 3527, 5230, 3545, 5110 and 5115 systems. A hacker can use a combination of vulnerabilities to gain root access on the system, the company said in a security advisory.

The passwords are hard-coded into Cisco systems and so cannot be changed or disabled by administrators, Cisco said. Hackers can use the passwords to remotely log in to the devices and gain access to internal networks.

There is no patch available at present, but Cisco is working on updates, it said. To mitigate the flaws administrators can limit access to the UVC web server to trusted hosts by disabling file transfer protocol (FTP), Secure Shell (SSH) and teletype network (Telnet) services and then setting the security mode field in the security section of the UVC administrator screen to 'maximum', according to Cisco.

Florent Daigniere, a researcher with security company Matta Consulting, discovered the flaw in July. The vulnerabilities mean that "a malicious third party can get full control of the device and harvest user passwords with little to no effort. The attacker might reposition and launch an attack against other parts of the target infrastructure from there", Daigniere wrote in a security advisory on Wednesday.

Matta Consulting's advice to those affected is that "until a patch is issued by [Cisco], Matta recommends you unplug the device from its network socket". Dagniere said that unspecified Radvision products may also be affected.