Cisco Security Threat Announcement

“Until a patch is issued by the vendor, Matta recommends you unplug the
device from its network socket.” – 11/17 advisory re: Cisco Unified Videoconferencing products

Hoo boy.  Apart from staving off companies like ours, releasing expensive novelty items to home users, and then getting blasted in the stock market, Cisco has not had it easy lately.

Just a couple days ago they made a public disclosure of security threats found in their products that are running on Linux systems.  Take a look at parts of one advisory (bolds are mine):


Multiple Vulnerabilities in Cisco Unified Videoconferencing Products

The purpose of this advisory is to raise awareness of multiple
vulnerabilities in Cisco Unified Videoconferencing products, for which a
security update is not available.

Multiple vulnerabilities exist in Cisco Unified Videoconferencing (UVC)
products, which if exploited, could allow remote attackers access to
sensitive information, gain unauthorized access or take complete control
of a vulnerable system. One of the vulnerabilities is due to hard coded
username and passwords, which cannot be changed or deleted.
vulnerability exists because FTP is enabled by default on Cisco UVC

Affected Versions
Cisco Unified Videoconferencing 5110 System
Cisco Unified Videoconferencing 5115 System
Cisco Unified Videoconferencing 5230 System
Cisco Unified Videoconferencing 3545 System
Cisco Unified Videoconferencing 3527 Primary Rate Interface (PRI)
Cisco Unified Videoconferencing 3522 Basic Rate Interfaces (BRI)
Cisco Unified Videoconferencing 3515 Multipoint Control Unit (MCU)

There are currently no patches available. Cisco recommends the
following workarounds:

Administrators can limit access to the Cisco UVC web server to trusted
hosts by disabling FTP, SSH, and Telnet services
and by setting the
Security mode field in the Security section of the Cisco UVC web GUI to

You can find the actual security report here, and Cisco’s follow up report/response here.

Now, this goes back to the discussions here on the disadvantages of products that try to do too much.  Cisco has a need to support unencrypted systems and be all things to all people.  I don’t think it takes much thought to see how this vulnerability in the Linux installation can affect the security of communications made to non-Linux installations.

Warning:  Blatant VSee Plug ahead!  Again, I normally attempt not to do this here, but I have to point out that the VSee team, which includes a coauthor of the XMPP video standard, researched standards for years.  VSee was made secure from day one.

%d bloggers like this: