Cisco warns of flaws in videoconferencing code

Cisco warns of flaws in videoconferencing code

Summary: A number of vulnerabilities have been discovered in Cisco's Unified Videoconferencing products that could allow attackers to gain user passwords and remotely access and control the systems

SHARE:
TOPICS: Security
0

Cisco has warned of critical security vulnerabilities in its videoconferencing products that could allow attackers to harvest user passwords and take over systems.

Cisco publicly disclosed six critical flaws in the security architecture of its videoconferencing systems on Wednesday.

The security vulnerabilities affect Cisco Unified Videoconferencing (UVC) 3515, 3522, 3527, 5230, 3545, 5110 and 5115 systems. A hacker can use a combination of vulnerabilities to gain root access on the system, the company said in a security advisory.

Read this

Know the enemy: today's top 10 security threats

The more you know about the likely avenues of cybercrime attack, the better you can protect yourself against them, says Alan Calder

Read more

The passwords are hard-coded into Cisco systems and so cannot be changed or disabled by administrators, Cisco said. Hackers can use the passwords to remotely log in to the devices and gain access to internal networks.

There is no patch available at present, but Cisco is working on updates, it said. To mitigate the flaws administrators can limit access to the UVC web server to trusted hosts by disabling file transfer protocol (FTP), Secure Shell (SSH) and teletype network (Telnet) services and then setting the security mode field in the security section of the UVC administrator screen to 'maximum', according to Cisco.

Florent Daigniere, a researcher with security company Matta Consulting, discovered the flaw in July. The vulnerabilities mean that "a malicious third party can get full control of the device and harvest user passwords with little to no effort. The attacker might reposition and launch an attack against other parts of the target infrastructure from there", Daigniere wrote in a security advisory on Wednesday.

Matta Consulting's advice to those affected is that "until a patch is issued by [Cisco], Matta recommends you unplug the device from its network socket". Dagniere said that unspecified Radvision products may also be affected.

Topic: Security

Jack Clark

About Jack Clark

Currently a reporter for ZDNet UK, I previously worked as a technology researcher and reporter for a London-based news agency.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion