CVE-2010-3038 (GCVE-0-2010-3038)

Vulnerability from cvelistv5 – Published: 2010-11-22 19:00 – Updated: 2024-08-07 02:55

Summary

Severity ?

No CVSS data available.

CWE

Assigner

cisco

References

URL

FKIE_CVE-2010-3038

Vulnerability from fkie_nvd - Published: 2010-11-22 20:00 - Updated: 2025-04-11 00:51

Severity ?

Summary

References

URL	Tags
psirt@cisco.com	http://seclists.org/fulldisclosure/2010/Nov/167
psirt@cisco.com	http://www.cisco.com/en/US/products/products_security_response09186a0080b56d0d.html	Vendor Advisory
psirt@cisco.com	http://www.securityfocus.com/bid/44924
psirt@cisco.com	http://www.securitytracker.com/id?1024753
psirt@cisco.com	http://www.trustmatta.com/advisories/MATTA-2010-001.txt
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2010/Nov/167
af854a3a-2127-422b-91ae-364da2661108	http://www.cisco.com/en/US/products/products_security_response09186a0080b56d0d.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/44924
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id?1024753
af854a3a-2127-422b-91ae-364da2661108	http://www.trustmatta.com/advisories/MATTA-2010-001.txt

Impacted products

Vendor	Product	Version
cisco	unified_videoconferencing_system_5110_firmware	7.0.1.13.3
cisco	unified_videoconferencing_system_5115_firmware	7.0.1.13.3
cisco	unified_videoconferencing_system_5110	*
cisco	unified_videoconferencing_system_5115	*
linux	linux_kernel	*

JSON

To clipboard Create KEV Entry

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cisco:unified_videoconferencing_system_5110_firmware:7.0.1.13.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "FCDF0DD6-EF3E-4758-A715-1814EA7D603D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:unified_videoconferencing_system_5115_firmware:7.0.1.13.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "619E7A89-B6B3-4E3B-BB63-5B142920984B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:cisco:unified_videoconferencing_system_5110:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "45DF769C-376D-4D65-B36E-E0F19BD7C8D0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:h:cisco:unified_videoconferencing_system_5115:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "615E1C8A-DC4D-40B4-BF9F-E218469E9749",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "155AD4FB-E527-4103-BCEF-801B653DEA37",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cisco Unified Videoconferencing (UVC) System 5110 and 5115, when the Linux operating system is used, has a default password for the (1) root, (2) cs, and (3) develop accounts, which makes it easier for remote attackers to obtain access via the (a) FTP or (b) SSH daemon, aka Bug ID CSCti54008."
    },
    {
      "lang": "es",
      "value": "Cisco Unified Videoconferencing (UVC) System 5110 y 5115, cuando el sistema operativo Linux se usa, tiene una contrase\u00f1a por defecto para (1) root, (2) cs, y (3) cuentas de desarrollo, lo que hace m\u00e1s sencillo para atacantes remotos obtener acceso a trav\u00e9s de (a) FTP o, (b) demonio SSH, tambi\u00e9n conocido como Bug ID CSCti54008."
    }
  ],
  "id": "CVE-2010-3038",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2010-11-22T20:00:03.230",
  "references": [
    {
      "source": "psirt@cisco.com",
      "url": "http://seclists.org/fulldisclosure/2010/Nov/167"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.cisco.com/en/US/products/products_security_response09186a0080b56d0d.html"
    },
    {
      "source": "psirt@cisco.com",
      "url": "http://www.securityfocus.com/bid/44924"
    },
    {
      "source": "psirt@cisco.com",
      "url": "http://www.securitytracker.com/id?1024753"
    },
    {
      "source": "psirt@cisco.com",
      "url": "http://www.trustmatta.com/advisories/MATTA-2010-001.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/fulldisclosure/2010/Nov/167"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.cisco.com/en/US/products/products_security_response09186a0080b56d0d.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/44924"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1024753"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.trustmatta.com/advisories/MATTA-2010-001.txt"
    }
  ],
  "sourceIdentifier": "psirt@cisco.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-255"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-201011-0227

Vulnerability from variot - Updated: 2025-04-11 22:54

Cisco Unified Videoconferencing (UVC) System 5110 and 5115, when the Linux operating system is used, has a default password for the (1) root, (2) cs, and (3) develop accounts, which makes it easier for remote attackers to obtain access via the (a) FTP or (b) SSH daemon, aka Bug ID CSCti54008. The problem is Bug ID CSCti54008 It is a problem.By a third party (a) FTP Or (b) SSH It may be accessed through a daemon. Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. An attacker can use these accounts to gain access control for this device. Cisco Unified Videoconferencing is prone to an authentication-bypass vulnerability. This issue is being tracked by Cisco bug ID CSCti54008. NOTE: This issue was previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but has been given its own record to better document it. ----------------------------------------------------------------------

Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. brute force attacks.

2) Input passed via the "username" parameter to goform/websXMLAdminRequestCgi.cgi is not properly sanitised before being used as a command line argument, which can be exploited to inject arbitrary shell commands with the privileges of the root user.

Successful exploitation requires administrative credentials. using a brute force attack to iterate over all possible time values from last system boot time. sniffing network traffic or a Man-in-the-Middle (MitM) attack.

NOTE: Additionally, some configuration issues exists in the FTP, Web, and OpenSSH servers.

PROVIDED AND/OR DISCOVERED BY: Florent Daigniere, Matta Consulting.

ORIGINAL ADVISORY: Matta (MATTA-2010-001): http://www.trustmatta.com/advisories/MATTA-2010-001.txt

Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml

OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.

Subscribe: http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/

Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Matta Consulting - Matta Advisory http://www.trustmatta.com

Cisco Unified Videoconferencing multiple vulnerabilities

Advisory ID: MATTA-2010-001 CVE reference: CVE-2010-3037 CVE-2010-3038 Affected platforms: Cisco Unified Videoconferencing 3515,3522,3527,5230,3545, 5110,5115 Systems and unspecified Radvision systems Version: 7.0.1.13.3 at least and more likely all Date: 2010-August-03 Security risk: Critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Researcher: Florent Daigniere Vendor Status: Notified, working on a patch Vulnerability Disclosure Policy: http://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt Permanent URL: http://www.trustmatta.com/advisories/MATTA-2010-001.txt

===================================================================== Description:

During an external pentest exercise for one of our clients, multiple vulnerabilities and weaknesses were found on the Cisco CUVC-5110-HD10 which allowed us to ultimately gain access to the internal network. Matta didn't spend the CPU cycles required to get those passwords but will provide the salted hashes to interested parties.

- Services misconfiguration

There is an FTP daemon (vsftpd) running but no mention in the documentation of what it might be useful for. User credentials created from the web-interface allow to explore the filesystem/firmware of the device.

The file /etc/shadow has read permissions for all.

The ssh daemon (openssh) has a non-default but curious configuration. It allows port-forwarding and socks proxies to be created, X11 to be forwarded... even with the restricted shells.

The daemon binding the port of the web-interface is running as root. There are numerous ways of remotely gathering the remote time and uptime, the easiest being to ask over RPC... Assuming that a user or an administrator logged into the device shortly after it was powered up, and that the network connectivity is fast, it is practical to bruteforce a valid session id.

Using this vulnerability, a non-authenticated attacker can authenticate. Over http in default configuration. While users are not expected to reuse their credentials, in practice they do; this is an information-disclosure bug. Many parameters can be abused, including but not limited to the "username" field. This is an information-disclosure bug. Best practices recommend using PBKDF2 to store passwords.

===================================================================== Impact

If successful, a malicious third party can get full control of the device and harvest user passwords with little to no effort. The Attacker might reposition and launch an attack against other parts of the target infrastructure from there. All deployed versions are probably vulnerable.

===================================================================== Threat mitigation

Until a patch is issued by the vendor, Matta recommends you unplug the device from its network socket.

===================================================================== Base64 encoded decryption script for the credentials:

IyEvYmluL2Jhc2gKIyBTbWFsbCBzY3JpcHQgdG8gZGVvYmZ1c2NhdGUgQ2lzY28gQ1VWQy01MTEw LUhEMTAncyBwYXNzd29yZHMKIyBAc2VlIE1BVFRBLTIwMTAtMDAxCiMKIyAkMSBpcyB0aGUgb2Jm dXNjYXRlZCBwYXNzd29yZAojIGV4YW1wbGUgdXNhZ2U6CiMKIyAkLi9kZWNvZGUtcGFzc3dvcmQu c2ggZDVjNGQ2ZDZkMmNhZDdjMQojIHBhc3N3b3JkCiMKIwoKZWNobyAtbiAkMXxzZWQgJ3MvXCgu LlwpL1wxXG4vZyd8d2hpbGUgcmVhZCBsaW5lCmRvCgljYXNlICIkbGluZSIgaW4KCQljNCkgbD1h IDs7CgkJZTQpIGw9QSA7OwoJCWM3KSBsPWIgOzsKCQllNykgbD1CIDs7CgkJYzYpIGw9YyA7OwoJ CWU2KSBsPUMgOzsKCQljMSkgbD1kIDs7CgkJZTEpIGw9RCA7OwoJCWMwKSBsPWUgOzsKCQllMCkg bD1FIDs7CgkJYzMpIGw9ZiA7OwoJCWUzKSBsPUYgOzsKCQljMikgbD1nIDs7CgkJZTIpIGw9RyA7 OwoJCWNkKSBsPWggOzsKCQllZCkgbD1IIDs7CgkJY2MpIGw9aSA7OwoJCWVjKSBsPUkgOzsKCQlj ZikgbD1qIDs7CgkJZWYpIGw9SiA7OwoJCWNlKSBsPWsgOzsKCQllZSkgbD1LIDs7CgkJYzkpIGw9 bCA7OwoJCWU5KSBsPUwgOzsKCQljOCkgbD1tIDs7CgkJZTgpIGw9TSA7OwoJCWNiKSBsPW4gOzsK CQllYikgbD1OIDs7CgkJY2EpIGw9byA7OwoJCWRhKSBsPU8gOzsKCQlkNSkgbD1wIDs7CgkJZjUp IGw9UCA7OwoJCWQ0KSBsPXEgOzsKCQlmNCkgbD1RIDs7CgkJZDcpIGw9ciA7OwoJCWY3KSBsPVIg OzsKCQlkNikgbD1zIDs7CgkJZjYpIGw9UyA7OwoJCWQxKSBsPXQgOzsKCQlmMSkgbD1UIDs7CgkJ ZDApIGw9dSA7OwoJCWYwKSBsPVUgOzsKCQlkMykgbD12IDs7CgkJZjMpIGw9ViA7OwoJCWQyKSBs PXcgOzsKCQlmMikgbD1XIDs7CgkJZGQpIGw9eCA7OwoJCWZkKSBsPVggOzsKCQlkYykgbD15IDs7 CgkJZmMpIGw9WSA7OwoJCWRmKSBsPXogOzsKCQlmZikgbD1aIDs7CgoJCTk1KSBsPTAgOzsKCQk5 NCkgbD0xIDs7CgkJOTcpIGw9MiA7OwoJCTk2KSBsPTMgOzsKCQk5MSkgbD00IDs7CgkJOTApIGw9 NSA7OwoJCTkzKSBsPTYgOzsKCQk5MikgbD03IDs7CgkJOWQpIGw9OCA7OwoJCTljKSBsPTkgOzsK CQkqKSAgbD0/OzsKCWVzYWMKCWVjaG8gLW4gIiRsIjsKZG9uZQplY2hvICIiCg==

===================================================================== Credits

This vulnerability was discovered and researched by Florent Daigniere from Matta Consulting.

Thank you to Paul Oxman and Matthew Cerha from the Cisco PSIRT for the coordination effort.

===================================================================== History

30-07-10 initial discovery 05-08-10 our client has mitigated the risk for his infrastructure ... 23-08-10 initial attempt to contact the vendor 23-08-10 sent pre-advisory to the vendor PSIRT on psirt@cisco.com using PGP id 0xCF14FEE0 23-08-10 reply from the vendor, case PSIRT-0217563645 is open ... 21-09-10 agreement on the public disclosure date ... 08-11-10 planned disclosure date (missed), CVE assignments ... 17-11-10 public disclosure

===================================================================== About Matta

Matta is a privately held company with Headquarters in London, and a European office in Amsterdam. Established in 2001, Matta operates in Europe, Asia, the Middle East and North America using a respected team of senior consultants. Matta is an accredited provider of Tigerscheme training; conducts regular research and is the developer behind the webcheck application scanner, and colossus network scanner.

http://www.trustmatta.com http://www.trustmatta.com/webapp_va.html http://www.trustmatta.com/network_va.html

===================================================================== Disclaimer and Copyright

Copyright (c) 2010 Matta Consulting Limited. All rights reserved. This advisory may be distributed as long as its distribution is free-of-charge and proper credit is given. Matta Consulting disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Matta Consulting or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Matta Consulting or its suppliers have been advised of the possibility of such damages. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Cisco Security Response: Multiple Vulnerabilities in Cisco Unified Videoconferencing Products

http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml

Revision 1.0

For Public Release 2010 November 17 1600 UTC (GMT)

+---------------------------------------------------------------------

Cisco Response

This is the Cisco Product Security Incident Response Team (PSIRT) response to a posting entitled "Cisco Unified Videoconferencing multiple vulnerabilities" by Florent Daigniere of Matta Consulting regarding vulnerabilities in the Cisco Unified Videoconferencing (Cisco UVC) 5100 series products.

The original report is available at the following links:

http://seclists.org/fulldisclosure/2010/Nov/167

http://www.trustmatta.com/advisories/MATTA-2010-001.txt

Cisco would like to thank Florent Daigniere of Matta Consulting for reporting these vulnerabilities to us. Cisco greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports.

All versions of system software prior to the first fixed, which is indicated in the Software Version and Fixes Table, are affected.

To view the version of system software that is currently running on Cisco Unified Videoconferencing 5100 Series Products, access the Cisco UVC device via the web GUI interface. On the status screen, the "Software Version" field below the "Product Information" section indicates the current system software.

Details for Reported Vulnerabilities

Hard-Coded Credentials in Cisco UVC Products +-------------------------------------------

The Linux shell contains three hard-coded usernames and passwords. The passwords cannot be changed, and the accounts cannot be deleted.

Remote Command Injection on the Web Interface in Cisco UVC Products +------------------------------------------------------------------

Several fields in the web server interface of Cisco UVC products are vulnerable to a shell command injection vulnerability. An administrator user who is authenticated to the web interface of Cisco UVC products could exploit this vulnerability to execute root-level commands on the Linux operating system. Exploitation of this vulnerability could result in a complete compromise of the device. It may also affect VxWorks-based Cisco UVC products.

Weak Obfuscation of Credentials in Cisco UVC Products +----------------------------------------------------

An attacker who can obtain access to the Linux operating system could retrieve a file that is used to store the administrator and operator accounts of the Cisco UVC web GUI. The passwords in this file are obfuscated using an easily reversible hashing scheme. Exploit code that assists in recovering the passwords exists.

FTP Server Accessible by Default in Cisco UVC Products +-----------------------------------------------------

The FTP server is enabled by default on Cisco UVC systems. An attacker can leverage the FTP server to exploit other vulnerabilities in this Cisco Security Response. Authentication is required to log into the device via the FTP server.

FTP access to the device can be controlled via the "Security mode" field of the Cisco UVC products web GUI. If the Security setting is configured as "High" or "Maximum," the device will not accept FTP connections. For further information, consult the Configuration Guide for Cisco Unified Videoconferencing 5000 MCU Release 7.0 at the following link:

http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479

This service misconfiguration affects both Linux-based operating system Cisco UVC products and VxWorks-based Cisco UVC products.

Shadow Password File has Read Permissions for All Users in Cisco UVC Products +----------------------------------------------------------------------------

The shadow password file should only be readable by the root account. Allowing read access to the shadow password file allows other users of the system with shell access to retrieve the shadow password file. An authenticated user who has access to the Linux operating system directories, may be able to retrieve the shadow password file.

This service misconfiguration only affects Linux-based operating system Cisco UVC products.

Lock Down OpenSSH Configuration in Cisco UVC Products +----------------------------------------------------

The SSH server has a restricted shell, however the configuration of the SSH server allows for X.11 forwarding and socks proxies to be created.

This service misconfiguration affects only Linux-based operating system Cisco UVC products.

Daemon That Binds the Port of the Web Interface Runs as root in Cisco UVC Products

In the event that all attacker exploits a flaw in a script running with root's permissions that allows them to write to files, gain access to the system or cause a denial of service.

This service misconfiguration affects only Linux-based operating system Cisco UVC products.

Weak Session IDs on the Web Interface in Cisco UVC Products +----------------------------------------------------------

The Cisco UVC web interface has session IDs that are incremented based on a time counter. Having predictable session IDs, assists in the hijacking of user sessions.

Usage of Cookies to Store Credentials in Cisco UVC Products +----------------------------------------------------------

On Linux-based Cisco UVC products, web interface credentials are stored in Base64 format in the cookie that is sent to a browser. On VxWorks-based Cisco UVC products, web interface credentials are stored in Base64 format or in clear text.

Software Versions and Fixes

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

All Cisco UVC software versions prior to the first fixed software release, which is indicated in the following table, are affected by the associated vulnerabilities.

This software table will be updated as software fixes become available.

+---------------------------------------+ | Linux Cisco UVC Operating System | | Versions | |---------------------------------------| | Product: | First Fixed | | | Release | |-------------------+-------------------| | | Currently no | | Cisco Unified | fixed code | | Videoconferencing | available. | | 5110 and 5115 | Contact your | | Systems | support | | | organization. | |---------------------------------------| | VxWorks Cisco UVC Operating System | | Versions | |---------------------------------------| | Product: | First Fixed | | | Release | |-------------------+-------------------| | | Currently no | | Cisco Unified | fixed code | | Videoconferencing | available. | | 5230 System: | Contact your | | | support | | | organization. | | 3545 System: | Contact your | | | support | | | organization. | | 3515 MCU: | Contact your | | | support | | | organization. | | 3522 BRI Gateway: | Contact your | | | support | | | organization. | | 3527 PRI Gateway: | Contact your | | | support | | | organization. | +---------------------------------------+

Workarounds

There are no workarounds for the vulnerabilities that are described in this Cisco Security Response.

Administrators can mitigate these vulnerabilities by limiting access to Cisco UVC web server to trusted hosts by disabling FTP, SSH, and Telnet services and by setting the "Security mode" field in the "Security" section of the Cisco UVC web GUI to "Maximum." For further information, consult the Configuration Guide for Cisco Unified Videoconferencing 5000 MCU Release 7.0 at the following link:

http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Status of this Notice: INTERIM

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE.YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

Revision History

+------------------------------------------------------------+ | Revision 1.0 | 2010-November-17 | Initial public release. | +------------------------------------------------------------+

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)

iF4EAREIAAYFAkzj6GAACgkQQXnnBKKRMNBMtwEAhEp+BKb+iRvXhPCBw/SGJSjx mM5ljSrDefGSCtlhkawA/Ap85VdNrVcb3lVWb5rtXoqGbrqDnDozK6DGKejmQd8M =f751 -----END PGP SIGNATURE-----

Show details on source website

JSON

To clipboard Create KEV Entry

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201011-0227",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "unified videoconferencing system 5115",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "cisco",
        "version": "7.0.1.13.3"
      },
      {
        "model": "unified videoconferencing system 5110",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "cisco",
        "version": "7.0.1.13.3"
      },
      {
        "model": "unified videoconferencing system 5115",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "cisco",
        "version": "*"
      },
      {
        "model": "unified videoconferencing system 5110",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "cisco",
        "version": "*"
      },
      {
        "model": "unified videoconferencing system 5110",
        "scope": null,
        "trust": 0.8,
        "vendor": "cisco",
        "version": null
      },
      {
        "model": "unified videoconferencing system 5115",
        "scope": null,
        "trust": 0.8,
        "vendor": "cisco",
        "version": null
      },
      {
        "model": "unified videoconferencing multipoint control unit",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "cisco",
        "version": "3515"
      },
      {
        "model": "unified videoconferencing basic rate interfaces gateway",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "cisco",
        "version": "3522"
      },
      {
        "model": "unified videoconferencing primary rate interface gateway",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "cisco",
        "version": "3527"
      },
      {
        "model": "unified videoconferencing system",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "cisco",
        "version": "3545"
      },
      {
        "model": "unified videoconferencing system",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "cisco",
        "version": "5110"
      },
      {
        "model": "unified videoconferencing system",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "cisco",
        "version": "5115"
      },
      {
        "model": "unified videoconferencing system",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "cisco",
        "version": "5230"
      },
      {
        "model": "unified videoconferencing system",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "52300"
      },
      {
        "model": "unified videoconferencing system",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "51150"
      },
      {
        "model": "unified videoconferencing system",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "51100"
      },
      {
        "model": "unified videoconferencing system",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "35450"
      },
      {
        "model": "unified videoconferencing primary rate interface gate",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "35270"
      },
      {
        "model": "unified videoconferencing basic rate interfaces gatew",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "35220"
      },
      {
        "model": "unified videoconferencing multipoint control unit",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "35150"
      },
      {
        "model": "unified videoconferencing",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "0"
      },
      {
        "model": "unified videoconferencing system",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "52307.1.2.15"
      },
      {
        "model": "unified videoconferencing system",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "51157.1.2.15"
      },
      {
        "model": "unified videoconferencing system",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "51107.1.2.12"
      },
      {
        "model": "unified videoconferencing system",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "35455.7.2"
      },
      {
        "model": "unified videoconferencing primary rate interface gate",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "35275.7.2"
      },
      {
        "model": "unified videoconferencing basic rate interfaces gatew",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "35225.7.2"
      },
      {
        "model": "unified videoconferencing multipoint control unit",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "35155.7.2"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2010-2851"
      },
      {
        "db": "BID",
        "id": "44924"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-003012"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201011-209"
      },
      {
        "db": "NVD",
        "id": "CVE-2010-3038"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/h:cisco:unified_videoconferencing_system_5110",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/h:cisco:unified_videoconferencing_system_5115",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-003012"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Florent Daigniere",
    "sources": [
      {
        "db": "BID",
        "id": "44924"
      },
      {
        "db": "PACKETSTORM",
        "id": "95936"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201011-209"
      }
    ],
    "trust": 1.0
  },
  "cve": "CVE-2010-3038",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CVE-2010-3038",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 1.8,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "VHN-45643",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2010-3038",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2010-3038",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201011-209",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULHUB",
            "id": "VHN-45643",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-45643"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-003012"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201011-209"
      },
      {
        "db": "NVD",
        "id": "CVE-2010-3038"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Cisco Unified Videoconferencing (UVC) System 5110 and 5115, when the Linux operating system is used, has a default password for the (1) root, (2) cs, and (3) develop accounts, which makes it easier for remote attackers to obtain access via the (a) FTP or (b) SSH daemon, aka Bug ID CSCti54008. The problem is Bug ID CSCti54008 It is a problem.By a third party (a) FTP Or (b) SSH It may be accessed through a daemon. Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. An attacker can use these accounts to gain access control for this device. Cisco Unified Videoconferencing is prone to an authentication-bypass vulnerability. \nThis issue is being tracked by Cisco bug ID CSCti54008. \nNOTE: This issue was previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but has been given its own record to better document it. ----------------------------------------------------------------------\n\n\nSecure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. brute force attacks. \n\n2) Input passed via the \"username\" parameter to\ngoform/websXMLAdminRequestCgi.cgi is not properly sanitised before\nbeing used as a command line argument, which can be exploited to\ninject arbitrary shell commands with the privileges of the root\nuser. \n\nSuccessful exploitation requires administrative credentials. using a brute force attack to iterate over all\npossible time values from last system boot time. sniffing network traffic or a Man-in-the-Middle (MitM)\nattack. \n\nNOTE: Additionally, some configuration issues exists in the FTP, Web,\nand OpenSSH servers. \n\nPROVIDED AND/OR DISCOVERED BY:\nFlorent Daigniere, Matta Consulting. \n\nORIGINAL ADVISORY:\nMatta (MATTA-2010-001):\nhttp://www.trustmatta.com/advisories/MATTA-2010-001.txt\n\nCisco:\nhttp://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \tMatta Consulting - Matta Advisory\n\t    http://www.trustmatta.com\n\n   Cisco Unified Videoconferencing multiple vulnerabilities\n\nAdvisory ID: MATTA-2010-001\nCVE reference: CVE-2010-3037 CVE-2010-3038\nAffected platforms: Cisco Unified Videoconferencing 3515,3522,3527,5230,3545,\n5110,5115 Systems and unspecified Radvision systems\nVersion: 7.0.1.13.3 at least and more likely all\nDate: 2010-August-03\nSecurity risk: Critical\nExploitable from: Remote\nVulnerability: Multiple vulnerabilities\nResearcher: Florent Daigniere\nVendor Status: Notified, working on a patch\nVulnerability Disclosure Policy:\n http://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt\nPermanent URL:\n http://www.trustmatta.com/advisories/MATTA-2010-001.txt\n\n=====================================================================\nDescription:\n\nDuring an external pentest exercise for one of our clients, multiple\n vulnerabilities and weaknesses were found on the  Cisco CUVC-5110-HD10 which\n allowed us to ultimately gain access to the internal network. \n Matta didn\u0027t spend the CPU cycles required to get those passwords but will\n provide the salted hashes to interested parties. \n\n- - Services misconfiguration\n\nThere is an FTP daemon (vsftpd) running but no mention in the documentation\n of what it might be useful for. User credentials created from the\n web-interface allow to explore the filesystem/firmware of the device. \n\nThe file /etc/shadow has read permissions for all. \n\nThe ssh daemon (openssh) has a non-default but curious configuration. It\n allows port-forwarding and socks proxies to be created, X11 to be\n forwarded... even with the restricted shells. \n\nThe daemon binding the port of the web-interface is running as root. There are numerous ways of remotely gathering the remote time and\n uptime, the easiest being to ask over RPC... Assuming that a user or an\n administrator logged into the device shortly after it was powered up, and\n that the network connectivity is fast, it is practical to bruteforce a\n valid session id. \n\nUsing this vulnerability, a non-authenticated attacker can authenticate. Over http in default configuration. While users\n are not expected to reuse their credentials, in practice they do; this is\n an information-disclosure bug. Many parameters can be abused,\n including but not limited to the \"username\" field. This is an\n information-disclosure bug. Best practices recommend using PBKDF2 to store\n passwords. \n\n=====================================================================\nImpact\n\nIf successful, a malicious third party can get full control of the device and\n harvest user passwords with little to no effort. The Attacker might\n reposition and launch an attack against other parts of the target\n infrastructure from there. All deployed versions are probably\n vulnerable. \n\n=====================================================================\nThreat mitigation\n\nUntil a patch is issued by the vendor, Matta recommends you unplug the\n device from its network socket. \n\n=====================================================================\nBase64 encoded decryption script for the credentials:\n\nIyEvYmluL2Jhc2gKIyBTbWFsbCBzY3JpcHQgdG8gZGVvYmZ1c2NhdGUgQ2lzY28gQ1VWQy01MTEw\nLUhEMTAncyBwYXNzd29yZHMKIyBAc2VlIE1BVFRBLTIwMTAtMDAxCiMKIyAkMSBpcyB0aGUgb2Jm\ndXNjYXRlZCBwYXNzd29yZAojIGV4YW1wbGUgdXNhZ2U6CiMKIyAkLi9kZWNvZGUtcGFzc3dvcmQu\nc2ggZDVjNGQ2ZDZkMmNhZDdjMQojIHBhc3N3b3JkCiMKIwoKZWNobyAtbiAkMXxzZWQgJ3MvXCgu\nLlwpL1wxXG4vZyd8d2hpbGUgcmVhZCBsaW5lCmRvCgljYXNlICIkbGluZSIgaW4KCQljNCkgbD1h\nIDs7CgkJZTQpIGw9QSA7OwoJCWM3KSBsPWIgOzsKCQllNykgbD1CIDs7CgkJYzYpIGw9YyA7OwoJ\nCWU2KSBsPUMgOzsKCQljMSkgbD1kIDs7CgkJZTEpIGw9RCA7OwoJCWMwKSBsPWUgOzsKCQllMCkg\nbD1FIDs7CgkJYzMpIGw9ZiA7OwoJCWUzKSBsPUYgOzsKCQljMikgbD1nIDs7CgkJZTIpIGw9RyA7\nOwoJCWNkKSBsPWggOzsKCQllZCkgbD1IIDs7CgkJY2MpIGw9aSA7OwoJCWVjKSBsPUkgOzsKCQlj\nZikgbD1qIDs7CgkJZWYpIGw9SiA7OwoJCWNlKSBsPWsgOzsKCQllZSkgbD1LIDs7CgkJYzkpIGw9\nbCA7OwoJCWU5KSBsPUwgOzsKCQljOCkgbD1tIDs7CgkJZTgpIGw9TSA7OwoJCWNiKSBsPW4gOzsK\nCQllYikgbD1OIDs7CgkJY2EpIGw9byA7OwoJCWRhKSBsPU8gOzsKCQlkNSkgbD1wIDs7CgkJZjUp\nIGw9UCA7OwoJCWQ0KSBsPXEgOzsKCQlmNCkgbD1RIDs7CgkJZDcpIGw9ciA7OwoJCWY3KSBsPVIg\nOzsKCQlkNikgbD1zIDs7CgkJZjYpIGw9UyA7OwoJCWQxKSBsPXQgOzsKCQlmMSkgbD1UIDs7CgkJ\nZDApIGw9dSA7OwoJCWYwKSBsPVUgOzsKCQlkMykgbD12IDs7CgkJZjMpIGw9ViA7OwoJCWQyKSBs\nPXcgOzsKCQlmMikgbD1XIDs7CgkJZGQpIGw9eCA7OwoJCWZkKSBsPVggOzsKCQlkYykgbD15IDs7\nCgkJZmMpIGw9WSA7OwoJCWRmKSBsPXogOzsKCQlmZikgbD1aIDs7CgoJCTk1KSBsPTAgOzsKCQk5\nNCkgbD0xIDs7CgkJOTcpIGw9MiA7OwoJCTk2KSBsPTMgOzsKCQk5MSkgbD00IDs7CgkJOTApIGw9\nNSA7OwoJCTkzKSBsPTYgOzsKCQk5MikgbD03IDs7CgkJOWQpIGw9OCA7OwoJCTljKSBsPTkgOzsK\nCQkqKSAgbD0/OzsKCWVzYWMKCWVjaG8gLW4gIiRsIjsKZG9uZQplY2hvICIiCg==\n\n=====================================================================\nCredits\n\nThis vulnerability was discovered and researched by Florent Daigniere from\n Matta Consulting. \n\nThank you to Paul Oxman and Matthew Cerha from the Cisco PSIRT for the\n coordination effort. \n\n=====================================================================\nHistory\n\n30-07-10 initial discovery\n05-08-10 our client has mitigated the risk for his infrastructure\n... \n23-08-10 initial attempt to contact the vendor\n23-08-10 sent pre-advisory to the vendor\n PSIRT on psirt@cisco.com using PGP id 0xCF14FEE0\n23-08-10 reply from the vendor, case PSIRT-0217563645 is open\n... \n21-09-10 agreement on the public disclosure date\n... \n08-11-10 planned disclosure date (missed), CVE assignments\n... \n17-11-10 public disclosure\n\n=====================================================================\nAbout Matta\n\nMatta is a privately held company with Headquarters in London, and a European\n office in Amsterdam.   Established in 2001, Matta operates in Europe, Asia,\n the Middle East and North America using a respected team of senior\n consultants.  Matta is an accredited provider of Tigerscheme training;\n conducts regular research and is the developer behind the webcheck\n application scanner, and colossus network scanner. \n\nhttp://www.trustmatta.com\nhttp://www.trustmatta.com/webapp_va.html\nhttp://www.trustmatta.com/network_va.html\n\n=====================================================================\nDisclaimer and Copyright\n\nCopyright (c) 2010 Matta Consulting Limited. All rights reserved. \nThis advisory may be distributed as long as its distribution is\n free-of-charge and proper credit is given. Matta Consulting disclaims all warranties, either\n express or implied, including the warranties of merchantability and fitness\n for a particular purpose. In no event shall Matta Consulting or its\n suppliers be liable for any damages whatsoever including direct, indirect,\n incidental, consequential, loss of business profits or special damages,\n even if Matta Consulting or its suppliers have been advised of the\n possibility of such damages. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nCisco Security Response: Multiple Vulnerabilities in Cisco Unified\nVideoconferencing Products\n\nhttp://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml\n\nRevision 1.0\n\nFor Public Release 2010 November 17 1600 UTC (GMT)\n\n+---------------------------------------------------------------------\n\nCisco Response\n==============\n\nThis is the Cisco Product Security Incident Response Team (PSIRT)\nresponse to a posting entitled \"Cisco Unified Videoconferencing\nmultiple vulnerabilities\" by Florent Daigniere of Matta Consulting\nregarding vulnerabilities in the Cisco Unified Videoconferencing\n(Cisco UVC) 5100 series products. \n\nThe original report is available at the following links:\n\nhttp://seclists.org/fulldisclosure/2010/Nov/167\n\nhttp://www.trustmatta.com/advisories/MATTA-2010-001.txt\n\nCisco would like to thank Florent Daigniere of Matta Consulting for\nreporting these vulnerabilities to us. Cisco greatly appreciate the\nopportunity to work with researchers on security vulnerabilities and\nwelcome the opportunity to review and assist in product reports. \n\nAll versions of system software prior to the first fixed, which is\nindicated in the Software Version and Fixes Table, are affected. \n\nTo view the version of system software that is currently running on\nCisco Unified Videoconferencing 5100 Series Products, access the\nCisco UVC device via the web GUI interface. On the status screen, the\n\"Software Version\" field below the \"Product Information\" section\nindicates the current system software. \n\nDetails for Reported Vulnerabilities\n====================================\n\nHard-Coded Credentials in Cisco UVC Products\n+-------------------------------------------\n\nThe Linux shell contains three hard-coded usernames and passwords. \nThe passwords cannot be changed, and the accounts cannot be deleted. \n\nRemote Command Injection on the Web Interface in Cisco UVC Products\n+------------------------------------------------------------------\n\nSeveral fields in the web server interface of Cisco UVC products are\nvulnerable to a shell command injection vulnerability. An\nadministrator user who is authenticated to the web interface of Cisco\nUVC products could exploit this vulnerability to execute root-level\ncommands on the Linux operating system. Exploitation of this\nvulnerability could result in a complete compromise of the device. It may also affect VxWorks-based Cisco UVC products. \n\nWeak Obfuscation of Credentials in Cisco UVC Products\n+----------------------------------------------------\n\nAn attacker who can obtain access to the Linux operating system could\nretrieve a file that is used to store the administrator and operator\naccounts of the Cisco UVC web GUI. The passwords in this file are\nobfuscated using an easily reversible hashing scheme. Exploit code\nthat assists in recovering the passwords exists. \n\nFTP Server Accessible by Default in Cisco UVC Products\n+-----------------------------------------------------\n\nThe FTP server is enabled by default on Cisco UVC systems. An\nattacker can leverage the FTP server to exploit other vulnerabilities\nin this Cisco Security Response. Authentication is required to log\ninto the device via the FTP server. \n\nFTP access to the device can be controlled via the \"Security mode\"\nfield of the Cisco UVC products web GUI. If the Security setting is\nconfigured as \"High\" or \"Maximum,\" the device will not accept FTP\nconnections. For further information, consult the Configuration Guide\nfor Cisco Unified Videoconferencing 5000 MCU Release 7.0 at the\nfollowing link:\n\nhttp://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479\n\nThis service misconfiguration affects both Linux-based operating\nsystem Cisco UVC products and VxWorks-based Cisco UVC products. \n\nShadow Password File has Read Permissions for All Users in Cisco UVC Products\n+----------------------------------------------------------------------------\n\nThe shadow password file should only be readable by the root account. \nAllowing read access to the shadow password file allows other users\nof the system with shell access to retrieve the shadow password file. \nAn authenticated user who has access to the Linux operating system\ndirectories, may be able to retrieve the shadow password file. \n\nThis service misconfiguration only affects Linux-based operating\nsystem Cisco UVC products. \n\nLock Down OpenSSH Configuration in Cisco UVC Products\n+----------------------------------------------------\n\nThe SSH server has a restricted shell, however the configuration of\nthe SSH server allows for X.11 forwarding and socks proxies to be\ncreated. \n\nThis service misconfiguration affects only Linux-based operating\nsystem Cisco UVC products. \n\nDaemon That Binds the Port of the Web Interface Runs as root in Cisco\nUVC Products\n\nIn the event that all attacker exploits a flaw in a script running\nwith root\u0027s permissions that allows them to write to files, gain\naccess to the system or cause a denial of service. \n\nThis service misconfiguration affects only Linux-based operating\nsystem Cisco UVC products. \n\nWeak Session IDs on the Web Interface in Cisco UVC Products\n+----------------------------------------------------------\n\nThe Cisco UVC web interface has session IDs that are incremented\nbased on a time counter. Having predictable session IDs, assists in\nthe hijacking of user sessions. \n\nUsage of Cookies to Store Credentials in Cisco UVC Products\n+----------------------------------------------------------\n\nOn Linux-based Cisco UVC products, web interface credentials are\nstored in Base64 format in the cookie that is sent to a browser. On\nVxWorks-based Cisco UVC products, web interface credentials are\nstored in Base64 format or in clear text. \n\nSoftware Versions and Fixes\n===========================\n\nWhen considering software upgrades, also consult\nhttp://www.cisco.com/go/psirt and any subsequent advisories to determine\nexposure and a complete upgrade solution. \n\nIn all cases, customers should exercise caution to be certain the\ndevices to be upgraded contain sufficient memory and that current\nhardware and software configurations will continue to be supported\nproperly by the new release. If the information is not clear, contact\nthe Cisco Technical Assistance Center (TAC) or your contracted\nmaintenance provider for assistance. \n\nAll Cisco UVC software versions prior to the first fixed software\nrelease, which is indicated in the following table, are affected by the\nassociated vulnerabilities. \n\nThis software table will be updated as software fixes become available. \n\n+---------------------------------------+\n|   Linux Cisco UVC Operating System    |\n|               Versions                |\n|---------------------------------------|\n| Product:          | First Fixed       |\n|                   | Release           |\n|-------------------+-------------------|\n|                   | Currently no      |\n| Cisco Unified     | fixed code        |\n| Videoconferencing | available.        |\n| 5110 and 5115     | Contact your      |\n| Systems           | support           |\n|                   | organization.     |\n|---------------------------------------|\n|  VxWorks Cisco UVC Operating System   |\n|               Versions                |\n|---------------------------------------|\n| Product:          | First Fixed       |\n|                   | Release           |\n|-------------------+-------------------|\n|                   | Currently no      |\n| Cisco Unified     | fixed code        |\n| Videoconferencing | available.        |\n| 5230 System:      | Contact your      |\n|                   | support           |\n|                   | organization.        |\n| 3545 System:      | Contact your      |\n|                   | support           |\n|                   | organization.        |\n| 3515 MCU:         | Contact your      |\n|                   | support           |\n|                   | organization.        |\n| 3522 BRI Gateway: | Contact your      |\n|                   | support           |\n|                   | organization.        |\n| 3527 PRI Gateway: | Contact your      |\n|                   | support           |\n|                   | organization.     |\n+---------------------------------------+\n\nWorkarounds\n===========\n\nThere are no workarounds for the vulnerabilities that are described in\nthis Cisco Security Response. \n\nAdministrators can mitigate these vulnerabilities by limiting access to\nCisco UVC web server to trusted hosts by disabling FTP, SSH, and Telnet\nservices and by setting the \"Security mode\" field in the \"Security\"\nsection of the Cisco UVC web GUI to \"Maximum.\" For further information,\nconsult the Configuration Guide for Cisco Unified Videoconferencing 5000\nMCU Release 7.0 at the following link:\n\nhttp://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479\n\n\nTHIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY\nANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF\nMERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE\nINFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS\nAT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS\nDOCUMENT AT ANY TIME. \n\nStatus of this Notice: INTERIM\n==============================\n\nTHIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY\nANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF\nMERCHANTABILITY OR FITNESS FOR A PARTICULAR USE.YOUR USE OF THE\nINFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS\nAT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS\nDOCUMENT AT ANY TIME.CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW\nINFORMATION BECOMES AVAILABLE. \n\nA stand-alone copy or Paraphrase of the text of this document that omits\nthe distribution URL in the following section is an uncontrolled copy,\nand may lack important information or contain factual errors. \n\nRevision History\n================\n\n+------------------------------------------------------------+\n| Revision 1.0 | 2010-November-17 | Initial public release.  |\n+------------------------------------------------------------+\n\nCisco Security Procedures\n=========================\n\nComplete information on reporting security vulnerabilities in\nCisco products, obtaining assistance with security incidents, and\nregistering to receive security information from Cisco, is available\non Cisco\u0027s worldwide website at\nhttp://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. \nThis includes instructions for press inquiries regarding Cisco security\nnotices. All Cisco security advisories are available at\nhttp://www.cisco.com/go/psirt. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.10 (GNU/Linux)\n\niF4EAREIAAYFAkzj6GAACgkQQXnnBKKRMNBMtwEAhEp+BKb+iRvXhPCBw/SGJSjx\nmM5ljSrDefGSCtlhkawA/Ap85VdNrVcb3lVWb5rtXoqGbrqDnDozK6DGKejmQd8M\n=f751\n-----END PGP SIGNATURE-----\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2010-3038"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-003012"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2010-2851"
      },
      {
        "db": "BID",
        "id": "44924"
      },
      {
        "db": "VULHUB",
        "id": "VHN-45643"
      },
      {
        "db": "PACKETSTORM",
        "id": "95965"
      },
      {
        "db": "PACKETSTORM",
        "id": "95936"
      },
      {
        "db": "PACKETSTORM",
        "id": "95919"
      }
    ],
    "trust": 2.79
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2010-3038",
        "trust": 3.6
      },
      {
        "db": "BID",
        "id": "44924",
        "trust": 1.4
      },
      {
        "db": "SECTRACK",
        "id": "1024753",
        "trust": 1.1
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-003012",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201011-209",
        "trust": 0.7
      },
      {
        "db": "SECUNIA",
        "id": "42248",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2010-2851",
        "trust": 0.6
      },
      {
        "db": "FULLDISC",
        "id": "20101117 CISCO UNIFIED VIDEOCONFERENCING MULTIPLE VULNERABILITIES - CVE-2010-3037 CVE-2010-3038",
        "trust": 0.6
      },
      {
        "db": "CISCO",
        "id": "20101117 MULTIPLE VULNERABILITIES IN CISCO UNIFIED VIDEOCONFERENCING PRODUCTS",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-45643",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "95965",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "95936",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "95919",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2010-2851"
      },
      {
        "db": "VULHUB",
        "id": "VHN-45643"
      },
      {
        "db": "BID",
        "id": "44924"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-003012"
      },
      {
        "db": "PACKETSTORM",
        "id": "95965"
      },
      {
        "db": "PACKETSTORM",
        "id": "95936"
      },
      {
        "db": "PACKETSTORM",
        "id": "95919"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201011-209"
      },
      {
        "db": "NVD",
        "id": "CVE-2010-3038"
      }
    ]
  },
  "id": "VAR-201011-0227",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2010-2851"
      },
      {
        "db": "VULHUB",
        "id": "VHN-45643"
      }
    ],
    "trust": 1.347061938
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2010-2851"
      }
    ]
  },
  "last_update_date": "2025-04-11T22:54:09.263000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "cisco-sa-20101206-cuvc",
        "trust": 0.8,
        "url": "http://www.cisco.com/en/US/products/products_security_response09186a0080b56d0d.html"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-003012"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-255",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-45643"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-003012"
      },
      {
        "db": "NVD",
        "id": "CVE-2010-3038"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.0,
        "url": "http://www.trustmatta.com/advisories/matta-2010-001.txt"
      },
      {
        "trust": 1.8,
        "url": "http://seclists.org/fulldisclosure/2010/nov/167"
      },
      {
        "trust": 1.7,
        "url": "http://www.cisco.com/en/us/products/products_security_response09186a0080b56d0d.html"
      },
      {
        "trust": 1.1,
        "url": "http://www.securityfocus.com/bid/44924"
      },
      {
        "trust": 1.1,
        "url": "http://www.securitytracker.com/id?1024753"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3038"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3038"
      },
      {
        "trust": 0.6,
        "url": "http://www.securityfocus.com/archive/1/514798http"
      },
      {
        "trust": 0.6,
        "url": "http://secunia.com/advisories/42248"
      },
      {
        "trust": 0.5,
        "url": "http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml"
      },
      {
        "trust": 0.3,
        "url": "http://www.cisco.com/en/us/products/hw/video/ps1870/index.html"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/514797"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/514798"
      },
      {
        "trust": 0.3,
        "url": "http://www.cisco.com/warp/public/707/cisco-sa-20101206-cuvc.shtml"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2010-3038"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2010-3037"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/products/corporate/evm/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/secunia_security_advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/42248/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/products/corporate/vim/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/42248/#comments"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/vulnerability_scanning/personal/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
      },
      {
        "trust": 0.1,
        "url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=42248"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/about_secunia_advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt"
      },
      {
        "trust": 0.1,
        "url": "http://www.trustmatta.com"
      },
      {
        "trust": 0.1,
        "url": "http://www.trustmatta.com/network_va.html"
      },
      {
        "trust": 0.1,
        "url": "http://www.trustmatta.com/webapp_va.html"
      },
      {
        "trust": 0.1,
        "url": "http://www.cisco.com/en/us/products/products_security_vulnerability_policy.html."
      },
      {
        "trust": 0.1,
        "url": "http://www.cisco.com/go/psirt"
      },
      {
        "trust": 0.1,
        "url": "http://www.cisco.com/go/psirt."
      },
      {
        "trust": 0.1,
        "url": "http://www.cisco.com/en/us/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2010-2851"
      },
      {
        "db": "VULHUB",
        "id": "VHN-45643"
      },
      {
        "db": "BID",
        "id": "44924"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-003012"
      },
      {
        "db": "PACKETSTORM",
        "id": "95965"
      },
      {
        "db": "PACKETSTORM",
        "id": "95936"
      },
      {
        "db": "PACKETSTORM",
        "id": "95919"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201011-209"
      },
      {
        "db": "NVD",
        "id": "CVE-2010-3038"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2010-2851"
      },
      {
        "db": "VULHUB",
        "id": "VHN-45643"
      },
      {
        "db": "BID",
        "id": "44924"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-003012"
      },
      {
        "db": "PACKETSTORM",
        "id": "95965"
      },
      {
        "db": "PACKETSTORM",
        "id": "95936"
      },
      {
        "db": "PACKETSTORM",
        "id": "95919"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201011-209"
      },
      {
        "db": "NVD",
        "id": "CVE-2010-3038"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2010-11-18T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2010-2851"
      },
      {
        "date": "2010-11-22T00:00:00",
        "db": "VULHUB",
        "id": "VHN-45643"
      },
      {
        "date": "2010-11-17T00:00:00",
        "db": "BID",
        "id": "44924"
      },
      {
        "date": "2012-03-27T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2010-003012"
      },
      {
        "date": "2010-11-18T04:41:44",
        "db": "PACKETSTORM",
        "id": "95965"
      },
      {
        "date": "2010-11-18T00:35:38",
        "db": "PACKETSTORM",
        "id": "95936"
      },
      {
        "date": "2010-11-17T23:46:07",
        "db": "PACKETSTORM",
        "id": "95919"
      },
      {
        "date": "2010-11-23T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201011-209"
      },
      {
        "date": "2010-11-22T20:00:03.230000",
        "db": "NVD",
        "id": "CVE-2010-3038"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2010-11-18T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2010-2851"
      },
      {
        "date": "2010-12-10T00:00:00",
        "db": "VULHUB",
        "id": "VHN-45643"
      },
      {
        "date": "2010-12-06T19:55:00",
        "db": "BID",
        "id": "44924"
      },
      {
        "date": "2012-03-27T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2010-003012"
      },
      {
        "date": "2011-01-10T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201011-209"
      },
      {
        "date": "2025-04-11T00:51:21.963000",
        "db": "NVD",
        "id": "CVE-2010-3038"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201011-209"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Cisco UVC System 5110 and  5115 Unauthorized access vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-003012"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "trust management",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201011-209"
      }
    ],
    "trust": 0.6
  }
}

GHSA-XQHF-37HR-73JQ

Vulnerability from github – Published: 2022-05-17 05:45 – Updated: 2022-05-17 05:45

Details

Show details on source website

JSON

To clipboard Create KEV Entry

{
  "affected": [],
  "aliases": [
    "CVE-2010-3038"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-11-22T20:00:00Z",
    "severity": "HIGH"
  },
  "details": "Cisco Unified Videoconferencing (UVC) System 5110 and 5115, when the Linux operating system is used, has a default password for the (1) root, (2) cs, and (3) develop accounts, which makes it easier for remote attackers to obtain access via the (a) FTP or (b) SSH daemon, aka Bug ID CSCti54008.",
  "id": "GHSA-xqhf-37hr-73jq",
  "modified": "2022-05-17T05:45:28Z",
  "published": "2022-05-17T05:45:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3038"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2010/Nov/167"
    },
    {
      "type": "WEB",
      "url": "http://www.cisco.com/en/US/products/products_security_response09186a0080b56d0d.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/44924"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1024753"
    },
    {
      "type": "WEB",
      "url": "http://www.trustmatta.com/advisories/MATTA-2010-001.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2010-3038

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2010-3038

Aliases

CVE-2010-3038

JSON

To clipboard Create KEV Entry

{
  "GSD": {
    "alias": "CVE-2010-3038",
    "description": "Cisco Unified Videoconferencing (UVC) System 5110 and 5115, when the Linux operating system is used, has a default password for the (1) root, (2) cs, and (3) develop accounts, which makes it easier for remote attackers to obtain access via the (a) FTP or (b) SSH daemon, aka Bug ID CSCti54008.",
    "id": "GSD-2010-3038"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2010-3038"
      ],
      "details": "Cisco Unified Videoconferencing (UVC) System 5110 and 5115, when the Linux operating system is used, has a default password for the (1) root, (2) cs, and (3) develop accounts, which makes it easier for remote attackers to obtain access via the (a) FTP or (b) SSH daemon, aka Bug ID CSCti54008.",
      "id": "GSD-2010-3038",
      "modified": "2023-12-13T01:21:34.804903Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@cisco.com",
        "ID": "CVE-2010-3038",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cisco Unified Videoconferencing (UVC) System 5110 and 5115, when the Linux operating system is used, has a default password for the (1) root, (2) cs, and (3) develop accounts, which makes it easier for remote attackers to obtain access via the (a) FTP or (b) SSH daemon, aka Bug ID CSCti54008."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://www.trustmatta.com/advisories/MATTA-2010-001.txt",
            "refsource": "MISC",
            "url": "http://www.trustmatta.com/advisories/MATTA-2010-001.txt"
          },
          {
            "name": "20101117 Multiple Vulnerabilities in Cisco Unified Videoconferencing Products",
            "refsource": "CISCO",
            "url": "http://www.cisco.com/en/US/products/products_security_response09186a0080b56d0d.html"
          },
          {
            "name": "1024753",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id?1024753"
          },
          {
            "name": "44924",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/44924"
          },
          {
            "name": "20101117 Cisco Unified Videoconferencing multiple vulnerabilities - CVE-2010-3037 CVE-2010-3038",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2010/Nov/167"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:cisco:unified_videoconferencing_system_5110_firmware:7.0.1.13.3:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:cisco:unified_videoconferencing_system_5115_firmware:7.0.1.13.3:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:unified_videoconferencing_system_5110:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:unified_videoconferencing_system_5115:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2010-3038"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cisco Unified Videoconferencing (UVC) System 5110 and 5115, when the Linux operating system is used, has a default password for the (1) root, (2) cs, and (3) develop accounts, which makes it easier for remote attackers to obtain access via the (a) FTP or (b) SSH daemon, aka Bug ID CSCti54008."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-255"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20101117 Multiple Vulnerabilities in Cisco Unified Videoconferencing Products",
              "refsource": "CISCO",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.cisco.com/en/US/products/products_security_response09186a0080b56d0d.html"
            },
            {
              "name": "http://www.trustmatta.com/advisories/MATTA-2010-001.txt",
              "refsource": "MISC",
              "tags": [],
              "url": "http://www.trustmatta.com/advisories/MATTA-2010-001.txt"
            },
            {
              "name": "20101117 Cisco Unified Videoconferencing multiple vulnerabilities - CVE-2010-3037 CVE-2010-3038",
              "refsource": "FULLDISC",
              "tags": [],
              "url": "http://seclists.org/fulldisclosure/2010/Nov/167"
            },
            {
              "name": "1024753",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id?1024753"
            },
            {
              "name": "44924",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/44924"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2010-12-10T06:44Z",
      "publishedDate": "2010-11-22T20:00Z"
    }
  }
}

CERTA-2010-AVI-561

Vulnerability from certfr_avis - Published: 2010-11-23 - Updated: 2010-11-23

De multiples vulnérabilités dans Cisco Unified Videoconferencing permettent, entre autres, de contourner la politique de sécurité.

Description

De multiples vulnérabilités ont été identifiées dans les produits Cisco Unified Videoconferencing. Leur exploitation permet notamment à une personne malintentionnée de contourner la politique de sécurité et d'exécuter ainsi des commandes avec le privilège administrateur.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Cisco	N/A	Cisco Unified Videoconferencing 3545 System ;
Cisco	N/A	Cisco Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway ;
Cisco	N/A	Cisco Unified Videoconferencing 5115 System ;
Cisco	N/A	Cisco Unified Videoconferencing 3515 Multipoint Control Unit (MCU).
Cisco	N/A	Cisco Unified Videoconferencing 5230 System ;
Cisco	N/A	Cisco Unified Videoconferencing 5110 System ;
Cisco	N/A	Cisco Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway ;

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2010-3038 (GCVE-0-2010-3038)

FKIE_CVE-2010-3038

VAR-201011-0227

Cisco Response

Details for Reported Vulnerabilities

Software Versions and Fixes

Workarounds

Status of this Notice: INTERIM

Revision History

Cisco Security Procedures

GHSA-XQHF-37HR-73JQ

GSD-2010-3038

CERTA-2010-AVI-561

Description

Solution

Tags

Sightings

Nomenclature