VAR-201011-0226
Vulnerability from variot - Updated: 2025-04-11 22:54goform/websXMLAdminRequestCgi.cgi in Cisco Unified Videoconferencing (UVC) System 5110 and 5115, and possibly Unified Videoconferencing System 3545 and 5230, Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway, Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway, and Unified Videoconferencing 3515 Multipoint Control Unit (MCU), allows remote authenticated administrators to execute arbitrary commands via the username field, related to a "shell command injection vulnerability," aka Bug ID CSCti54059. Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. The script lacks proper filtering for multiple parameters, including but not limited to the \"username\" field. Obviously, the WEB service runs with ROOT privileges, which can lead to an attacker having complete control over the device. Cisco Unified Videoconferencing is prone to multiple remote command-injection vulnerabilities because it fails to properly sanitize user-supplied input. These issues are being tracked by Cisco bug ID CSCti54059. NOTE: These issues were previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but have been given their own record for better documentation. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
1) Multiple hard-coded accounts exist ("root", "cs", and "develop") that cannot be disabled, which can be exploited to potentially gain access to the device via e.g. brute force attacks.
Successful exploitation requires administrative credentials. using a brute force attack to iterate over all possible time values from last system boot time. sniffing network traffic or a Man-in-the-Middle (MitM) attack.
NOTE: Additionally, some configuration issues exists in the FTP, Web, and OpenSSH servers.
PROVIDED AND/OR DISCOVERED BY: Florent Daigniere, Matta Consulting.
ORIGINAL ADVISORY: Matta (MATTA-2010-001): http://www.trustmatta.com/advisories/MATTA-2010-001.txt
Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml
OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Matta Consulting - Matta Advisory http://www.trustmatta.com
Cisco Unified Videoconferencing multiple vulnerabilities
Advisory ID: MATTA-2010-001 CVE reference: CVE-2010-3037 CVE-2010-3038 Affected platforms: Cisco Unified Videoconferencing 3515,3522,3527,5230,3545, 5110,5115 Systems and unspecified Radvision systems Version: 7.0.1.13.3 at least and more likely all Date: 2010-August-03 Security risk: Critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Researcher: Florent Daigniere Vendor Status: Notified, working on a patch Vulnerability Disclosure Policy: http://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt Permanent URL: http://www.trustmatta.com/advisories/MATTA-2010-001.txt
===================================================================== Description:
During an external pentest exercise for one of our clients, multiple vulnerabilities and weaknesses were found on the Cisco CUVC-5110-HD10 which allowed us to ultimately gain access to the internal network.
-
- Hard-coded credentials - CVE-2010-3038
Three accounts have a login shell and a password the administrator can neither disable nor change. The affected accounts are "root", "cs" and "develop". Matta didn't spend the CPU cycles required to get those passwords but will provide the salted hashes to interested parties.
-
- Services misconfiguration
There is an FTP daemon (vsftpd) running but no mention in the documentation of what it might be useful for. User credentials created from the web-interface allow to explore the filesystem/firmware of the device.
The file /etc/shadow has read permissions for all.
The ssh daemon (openssh) has a non-default but curious configuration. It allows port-forwarding and socks proxies to be created, X11 to be forwarded... even with the restricted shells.
The daemon binding the port of the web-interface is running as root. There are numerous ways of remotely gathering the remote time and uptime, the easiest being to ask over RPC... Assuming that a user or an administrator logged into the device shortly after it was powered up, and that the network connectivity is fast, it is practical to bruteforce a valid session id.
Using this vulnerability, a non-authenticated attacker can authenticate. Over http in default configuration. While users are not expected to reuse their credentials, in practice they do; this is an information-disclosure bug. This is an information-disclosure bug. Best practices recommend using PBKDF2 to store passwords.
===================================================================== Impact
If successful, a malicious third party can get full control of the device and harvest user passwords with little to no effort. The Attacker might reposition and launch an attack against other parts of the target infrastructure from there. All deployed versions are probably vulnerable.
===================================================================== Threat mitigation
Until a patch is issued by the vendor, Matta recommends you unplug the device from its network socket.
===================================================================== Base64 encoded decryption script for the credentials:
IyEvYmluL2Jhc2gKIyBTbWFsbCBzY3JpcHQgdG8gZGVvYmZ1c2NhdGUgQ2lzY28gQ1VWQy01MTEw LUhEMTAncyBwYXNzd29yZHMKIyBAc2VlIE1BVFRBLTIwMTAtMDAxCiMKIyAkMSBpcyB0aGUgb2Jm dXNjYXRlZCBwYXNzd29yZAojIGV4YW1wbGUgdXNhZ2U6CiMKIyAkLi9kZWNvZGUtcGFzc3dvcmQu c2ggZDVjNGQ2ZDZkMmNhZDdjMQojIHBhc3N3b3JkCiMKIwoKZWNobyAtbiAkMXxzZWQgJ3MvXCgu LlwpL1wxXG4vZyd8d2hpbGUgcmVhZCBsaW5lCmRvCgljYXNlICIkbGluZSIgaW4KCQljNCkgbD1h IDs7CgkJZTQpIGw9QSA7OwoJCWM3KSBsPWIgOzsKCQllNykgbD1CIDs7CgkJYzYpIGw9YyA7OwoJ CWU2KSBsPUMgOzsKCQljMSkgbD1kIDs7CgkJZTEpIGw9RCA7OwoJCWMwKSBsPWUgOzsKCQllMCkg bD1FIDs7CgkJYzMpIGw9ZiA7OwoJCWUzKSBsPUYgOzsKCQljMikgbD1nIDs7CgkJZTIpIGw9RyA7 OwoJCWNkKSBsPWggOzsKCQllZCkgbD1IIDs7CgkJY2MpIGw9aSA7OwoJCWVjKSBsPUkgOzsKCQlj ZikgbD1qIDs7CgkJZWYpIGw9SiA7OwoJCWNlKSBsPWsgOzsKCQllZSkgbD1LIDs7CgkJYzkpIGw9 bCA7OwoJCWU5KSBsPUwgOzsKCQljOCkgbD1tIDs7CgkJZTgpIGw9TSA7OwoJCWNiKSBsPW4gOzsK CQllYikgbD1OIDs7CgkJY2EpIGw9byA7OwoJCWRhKSBsPU8gOzsKCQlkNSkgbD1wIDs7CgkJZjUp IGw9UCA7OwoJCWQ0KSBsPXEgOzsKCQlmNCkgbD1RIDs7CgkJZDcpIGw9ciA7OwoJCWY3KSBsPVIg OzsKCQlkNikgbD1zIDs7CgkJZjYpIGw9UyA7OwoJCWQxKSBsPXQgOzsKCQlmMSkgbD1UIDs7CgkJ ZDApIGw9dSA7OwoJCWYwKSBsPVUgOzsKCQlkMykgbD12IDs7CgkJZjMpIGw9ViA7OwoJCWQyKSBs PXcgOzsKCQlmMikgbD1XIDs7CgkJZGQpIGw9eCA7OwoJCWZkKSBsPVggOzsKCQlkYykgbD15IDs7 CgkJZmMpIGw9WSA7OwoJCWRmKSBsPXogOzsKCQlmZikgbD1aIDs7CgoJCTk1KSBsPTAgOzsKCQk5 NCkgbD0xIDs7CgkJOTcpIGw9MiA7OwoJCTk2KSBsPTMgOzsKCQk5MSkgbD00IDs7CgkJOTApIGw9 NSA7OwoJCTkzKSBsPTYgOzsKCQk5MikgbD03IDs7CgkJOWQpIGw9OCA7OwoJCTljKSBsPTkgOzsK CQkqKSAgbD0/OzsKCWVzYWMKCWVjaG8gLW4gIiRsIjsKZG9uZQplY2hvICIiCg==
===================================================================== Credits
This vulnerability was discovered and researched by Florent Daigniere from Matta Consulting.
Thank you to Paul Oxman and Matthew Cerha from the Cisco PSIRT for the coordination effort.
===================================================================== History
30-07-10 initial discovery 05-08-10 our client has mitigated the risk for his infrastructure ... 23-08-10 initial attempt to contact the vendor 23-08-10 sent pre-advisory to the vendor PSIRT on psirt@cisco.com using PGP id 0xCF14FEE0 23-08-10 reply from the vendor, case PSIRT-0217563645 is open ... 21-09-10 agreement on the public disclosure date ... 08-11-10 planned disclosure date (missed), CVE assignments ... 17-11-10 public disclosure
===================================================================== About Matta
Matta is a privately held company with Headquarters in London, and a European office in Amsterdam. Established in 2001, Matta operates in Europe, Asia, the Middle East and North America using a respected team of senior consultants. Matta is an accredited provider of Tigerscheme training; conducts regular research and is the developer behind the webcheck application scanner, and colossus network scanner.
http://www.trustmatta.com http://www.trustmatta.com/webapp_va.html http://www.trustmatta.com/network_va.html
===================================================================== Disclaimer and Copyright
Copyright (c) 2010 Matta Consulting Limited. All rights reserved. This advisory may be distributed as long as its distribution is free-of-charge and proper credit is given. Matta Consulting disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Matta Consulting or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Matta Consulting or its suppliers have been advised of the possibility of such damages. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Cisco Security Response: Multiple Vulnerabilities in Cisco Unified Videoconferencing Products
http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml
Revision 1.0
For Public Release 2010 November 17 1600 UTC (GMT)
+---------------------------------------------------------------------
Cisco Response
This is the Cisco Product Security Incident Response Team (PSIRT) response to a posting entitled "Cisco Unified Videoconferencing multiple vulnerabilities" by Florent Daigniere of Matta Consulting regarding vulnerabilities in the Cisco Unified Videoconferencing (Cisco UVC) 5100 series products.
The original report is available at the following links:
http://seclists.org/fulldisclosure/2010/Nov/167
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
Cisco would like to thank Florent Daigniere of Matta Consulting for reporting these vulnerabilities to us. Cisco greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports.
All versions of system software prior to the first fixed, which is indicated in the Software Version and Fixes Table, are affected.
To view the version of system software that is currently running on Cisco Unified Videoconferencing 5100 Series Products, access the Cisco UVC device via the web GUI interface. On the status screen, the "Software Version" field below the "Product Information" section indicates the current system software.
Details for Reported Vulnerabilities
Hard-Coded Credentials in Cisco UVC Products +-------------------------------------------
The Linux shell contains three hard-coded usernames and passwords. The passwords cannot be changed, and the accounts cannot be deleted. Attackers could leverage these accounts to obtain remote access to a device by using permitted remote access protocols.
This vulnerability only affects Linux-based operating system Cisco UVC products. Exploitation of this vulnerability could result in a complete compromise of the device.
This vulnerability affects Linux-based operating system Cisco UVC products. It may also affect VxWorks-based Cisco UVC products. The passwords in this file are obfuscated using an easily reversible hashing scheme. Exploit code that assists in recovering the passwords exists.
This vulnerability affects only Linux-based operating system Cisco UVC products.
FTP Server Accessible by Default in Cisco UVC Products +-----------------------------------------------------
The FTP server is enabled by default on Cisco UVC systems. An attacker can leverage the FTP server to exploit other vulnerabilities in this Cisco Security Response. Authentication is required to log into the device via the FTP server.
FTP access to the device can be controlled via the "Security mode" field of the Cisco UVC products web GUI. If the Security setting is configured as "High" or "Maximum," the device will not accept FTP connections. For further information, consult the Configuration Guide for Cisco Unified Videoconferencing 5000 MCU Release 7.0 at the following link:
http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479
This service misconfiguration affects both Linux-based operating system Cisco UVC products and VxWorks-based Cisco UVC products.
Shadow Password File has Read Permissions for All Users in Cisco UVC Products +----------------------------------------------------------------------------
The shadow password file should only be readable by the root account. Allowing read access to the shadow password file allows other users of the system with shell access to retrieve the shadow password file. An authenticated user who has access to the Linux operating system directories, may be able to retrieve the shadow password file.
This service misconfiguration only affects Linux-based operating system Cisco UVC products.
Lock Down OpenSSH Configuration in Cisco UVC Products +----------------------------------------------------
The SSH server has a restricted shell, however the configuration of the SSH server allows for X.11 forwarding and socks proxies to be created.
This service misconfiguration affects only Linux-based operating system Cisco UVC products.
Daemon That Binds the Port of the Web Interface Runs as root in Cisco UVC Products
In the event that all attacker exploits a flaw in a script running with root's permissions that allows them to write to files, gain access to the system or cause a denial of service.
This service misconfiguration affects only Linux-based operating system Cisco UVC products.
Weak Session IDs on the Web Interface in Cisco UVC Products +----------------------------------------------------------
The Cisco UVC web interface has session IDs that are incremented based on a time counter. Having predictable session IDs, assists in the hijacking of user sessions.
This vulnerability affects both Linux-based operating system Cisco UVC products and VxWorks-based Cisco UVC products.
Usage of Cookies to Store Credentials in Cisco UVC Products +----------------------------------------------------------
On Linux-based Cisco UVC products, web interface credentials are stored in Base64 format in the cookie that is sent to a browser. On VxWorks-based Cisco UVC products, web interface credentials are stored in Base64 format or in clear text.
This vulnerability affects both Linux-based operating system Cisco UVC products and VxWorks-based Cisco UVC products.
Software Versions and Fixes
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
All Cisco UVC software versions prior to the first fixed software release, which is indicated in the following table, are affected by the associated vulnerabilities.
This software table will be updated as software fixes become available.
+---------------------------------------+ | Linux Cisco UVC Operating System | | Versions | |---------------------------------------| | Product: | First Fixed | | | Release | |-------------------+-------------------| | | Currently no | | Cisco Unified | fixed code | | Videoconferencing | available. | | 5110 and 5115 | Contact your | | Systems | support | | | organization. | |---------------------------------------| | VxWorks Cisco UVC Operating System | | Versions | |---------------------------------------| | Product: | First Fixed | | | Release | |-------------------+-------------------| | | Currently no | | Cisco Unified | fixed code | | Videoconferencing | available. | | 5230 System: | Contact your | | | support | | | organization. | | 3545 System: | Contact your | | | support | | | organization. | | 3515 MCU: | Contact your | | | support | | | organization. | | 3522 BRI Gateway: | Contact your | | | support | | | organization. | | 3527 PRI Gateway: | Contact your | | | support | | | organization. | +---------------------------------------+
Workarounds
There are no workarounds for the vulnerabilities that are described in this Cisco Security Response.
Administrators can mitigate these vulnerabilities by limiting access to Cisco UVC web server to trusted hosts by disabling FTP, SSH, and Telnet services and by setting the "Security mode" field in the "Security" section of the Cisco UVC web GUI to "Maximum." For further information, consult the Configuration Guide for Cisco Unified Videoconferencing 5000 MCU Release 7.0 at the following link:
http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
Status of this Notice: INTERIM
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE.YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
Revision History
+------------------------------------------------------------+ | Revision 1.0 | 2010-November-17 | Initial public release. | +------------------------------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAkzj6GAACgkQQXnnBKKRMNBMtwEAhEp+BKb+iRvXhPCBw/SGJSjx mM5ljSrDefGSCtlhkawA/Ap85VdNrVcb3lVWb5rtXoqGbrqDnDozK6DGKejmQd8M =f751 -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201011-0226",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "unified videoconferencing system 3522 basic rate interface gateway",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "7.0.1.13.3"
},
{
"model": "unified videoconferencing system 3515 multipoint control unit",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "7.0.1.13.3"
},
{
"model": "unified videoconferencing system 5115",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "7.0.1.13.3"
},
{
"model": "unified videoconferencing system 5230",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "7.0.1.13.3"
},
{
"model": "unified videoconferencing system 5110",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "7.0.1.13.3"
},
{
"model": "unified videoconferencing system 3527 primary rate interface gateway",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "7.0.1.13.3"
},
{
"model": "unified videoconferencing system 3545",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "7.0.1.13.3"
},
{
"model": "unified videoconferencing system 5230",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "*"
},
{
"model": "unified videoconferencing system 5110",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "*"
},
{
"model": "unified videoconferencing system 3522 basic rate interface gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "*"
},
{
"model": "unified videoconferencing system 3527 primary rate interface gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "*"
},
{
"model": "unified videoconferencing system 5115",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "*"
},
{
"model": "unified videoconferencing system 3545",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "*"
},
{
"model": "unified videoconferencing system 3515 multipoint control unit",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "*"
},
{
"model": "unified videoconferencing system 3515 multipoint control unit",
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": "unified videoconferencing system 3522 basic rate interface gateway",
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": "unified videoconferencing system 3527 primary rate interface gateway",
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": "unified videoconferencing system 3545",
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": "unified videoconferencing system 5110",
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": "unified videoconferencing system 5115",
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": "unified videoconferencing system 5230",
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": "unified videoconferencing multipoint control unit",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "3515"
},
{
"model": "unified videoconferencing prinary rate interface gataway",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "3527"
},
{
"model": "unified videoconferencing basic rate interfaces gateway",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "3522"
},
{
"model": "unified videoconferencing system",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "3545"
},
{
"model": "unified videoconferencing system",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "5110"
},
{
"model": "unified videoconferencing system",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "5115"
},
{
"model": "unified videoconferencing system",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "5230"
},
{
"model": "unified videoconferencing system",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "52300"
},
{
"model": "unified videoconferencing system",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "51150"
},
{
"model": "unified videoconferencing system",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "51100"
},
{
"model": "unified videoconferencing system",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "35450"
},
{
"model": "unified videoconferencing primary rate interface gate",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "35270"
},
{
"model": "unified videoconferencing basic rate interfaces gatew",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "35220"
},
{
"model": "unified videoconferencing multipoint control unit",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "35150"
},
{
"model": "unified videoconferencing",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "unified videoconferencing system",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "52307.1.2.15"
},
{
"model": "unified videoconferencing system",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "51157.1.2.15"
},
{
"model": "unified videoconferencing system",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "51107.1.2.12"
},
{
"model": "unified videoconferencing system",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "35455.7.2"
},
{
"model": "unified videoconferencing primary rate interface gate",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "35275.7.2"
},
{
"model": "unified videoconferencing basic rate interfaces gatew",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "35225.7.2"
},
{
"model": "unified videoconferencing multipoint control unit",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "35155.7.2"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-2843"
},
{
"db": "BID",
"id": "44922"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-003011"
},
{
"db": "CNNVD",
"id": "CNNVD-201011-208"
},
{
"db": "NVD",
"id": "CVE-2010-3037"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:cisco:unified_videoconferencing_system_3515_multipoint_control_unit",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:cisco:unified_videoconferencing_system_3522_basic_rate_interface_gateway",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:cisco:unified_videoconferencing_system_3527_primary_rate_interface_gateway",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:cisco:unified_videoconferencing_system_3545",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:cisco:unified_videoconferencing_system_5110",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:cisco:unified_videoconferencing_system_5115",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:cisco:unified_videoconferencing_system_5230",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-003011"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Florent Daigniere",
"sources": [
{
"db": "BID",
"id": "44922"
},
{
"db": "PACKETSTORM",
"id": "95936"
},
{
"db": "CNNVD",
"id": "CNNVD-201011-208"
}
],
"trust": 1.0
},
"cve": "CVE-2010-3037",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.8,
"id": "CVE-2010-3037",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.8,
"id": "VHN-45642",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2010-3037",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2010-3037",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201011-208",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-45642",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-45642"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-003011"
},
{
"db": "CNNVD",
"id": "CNNVD-201011-208"
},
{
"db": "NVD",
"id": "CVE-2010-3037"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "goform/websXMLAdminRequestCgi.cgi in Cisco Unified Videoconferencing (UVC) System 5110 and 5115, and possibly Unified Videoconferencing System 3545 and 5230, Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway, Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway, and Unified Videoconferencing 3515 Multipoint Control Unit (MCU), allows remote authenticated administrators to execute arbitrary commands via the username field, related to a \"shell command injection vulnerability,\" aka Bug ID CSCti54059. Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. The script lacks proper filtering for multiple parameters, including but not limited to the \\\"username\\\" field. Obviously, the WEB service runs with ROOT privileges, which can lead to an attacker having complete control over the device. Cisco Unified Videoconferencing is prone to multiple remote command-injection vulnerabilities because it fails to properly sanitize user-supplied input. \nThese issues are being tracked by Cisco bug ID CSCti54059. \nNOTE: These issues were previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but have been given their own record for better documentation. ----------------------------------------------------------------------\n\n\nSecure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. \n\n1) Multiple hard-coded accounts exist (\"root\", \"cs\", and \"develop\")\nthat cannot be disabled, which can be exploited to potentially gain\naccess to the device via e.g. brute force attacks. \n\nSuccessful exploitation requires administrative credentials. using a brute force attack to iterate over all\npossible time values from last system boot time. sniffing network traffic or a Man-in-the-Middle (MitM)\nattack. \n\nNOTE: Additionally, some configuration issues exists in the FTP, Web,\nand OpenSSH servers. \n\nPROVIDED AND/OR DISCOVERED BY:\nFlorent Daigniere, Matta Consulting. \n\nORIGINAL ADVISORY:\nMatta (MATTA-2010-001):\nhttp://www.trustmatta.com/advisories/MATTA-2010-001.txt\n\nCisco:\nhttp://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \tMatta Consulting - Matta Advisory\n\t http://www.trustmatta.com\n\n Cisco Unified Videoconferencing multiple vulnerabilities\n\nAdvisory ID: MATTA-2010-001\nCVE reference: CVE-2010-3037 CVE-2010-3038\nAffected platforms: Cisco Unified Videoconferencing 3515,3522,3527,5230,3545,\n5110,5115 Systems and unspecified Radvision systems\nVersion: 7.0.1.13.3 at least and more likely all\nDate: 2010-August-03\nSecurity risk: Critical\nExploitable from: Remote\nVulnerability: Multiple vulnerabilities\nResearcher: Florent Daigniere\nVendor Status: Notified, working on a patch\nVulnerability Disclosure Policy:\n http://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt\nPermanent URL:\n http://www.trustmatta.com/advisories/MATTA-2010-001.txt\n\n=====================================================================\nDescription:\n\nDuring an external pentest exercise for one of our clients, multiple\n vulnerabilities and weaknesses were found on the Cisco CUVC-5110-HD10 which\n allowed us to ultimately gain access to the internal network. \n\n- - Hard-coded credentials - CVE-2010-3038\n\nThree accounts have a login shell and a password the administrator can neither\n disable nor change. The affected accounts are \"root\", \"cs\" and \"develop\". \n Matta didn\u0027t spend the CPU cycles required to get those passwords but will\n provide the salted hashes to interested parties. \n\n- - Services misconfiguration\n\nThere is an FTP daemon (vsftpd) running but no mention in the documentation\n of what it might be useful for. User credentials created from the\n web-interface allow to explore the filesystem/firmware of the device. \n\nThe file /etc/shadow has read permissions for all. \n\nThe ssh daemon (openssh) has a non-default but curious configuration. It\n allows port-forwarding and socks proxies to be created, X11 to be\n forwarded... even with the restricted shells. \n\nThe daemon binding the port of the web-interface is running as root. There are numerous ways of remotely gathering the remote time and\n uptime, the easiest being to ask over RPC... Assuming that a user or an\n administrator logged into the device shortly after it was powered up, and\n that the network connectivity is fast, it is practical to bruteforce a\n valid session id. \n\nUsing this vulnerability, a non-authenticated attacker can authenticate. Over http in default configuration. While users\n are not expected to reuse their credentials, in practice they do; this is\n an information-disclosure bug. This is an\n information-disclosure bug. Best practices recommend using PBKDF2 to store\n passwords. \n\n=====================================================================\nImpact\n\nIf successful, a malicious third party can get full control of the device and\n harvest user passwords with little to no effort. The Attacker might\n reposition and launch an attack against other parts of the target\n infrastructure from there. All deployed versions are probably\n vulnerable. \n\n=====================================================================\nThreat mitigation\n\nUntil a patch is issued by the vendor, Matta recommends you unplug the\n device from its network socket. \n\n=====================================================================\nBase64 encoded decryption script for the credentials:\n\nIyEvYmluL2Jhc2gKIyBTbWFsbCBzY3JpcHQgdG8gZGVvYmZ1c2NhdGUgQ2lzY28gQ1VWQy01MTEw\nLUhEMTAncyBwYXNzd29yZHMKIyBAc2VlIE1BVFRBLTIwMTAtMDAxCiMKIyAkMSBpcyB0aGUgb2Jm\ndXNjYXRlZCBwYXNzd29yZAojIGV4YW1wbGUgdXNhZ2U6CiMKIyAkLi9kZWNvZGUtcGFzc3dvcmQu\nc2ggZDVjNGQ2ZDZkMmNhZDdjMQojIHBhc3N3b3JkCiMKIwoKZWNobyAtbiAkMXxzZWQgJ3MvXCgu\nLlwpL1wxXG4vZyd8d2hpbGUgcmVhZCBsaW5lCmRvCgljYXNlICIkbGluZSIgaW4KCQljNCkgbD1h\nIDs7CgkJZTQpIGw9QSA7OwoJCWM3KSBsPWIgOzsKCQllNykgbD1CIDs7CgkJYzYpIGw9YyA7OwoJ\nCWU2KSBsPUMgOzsKCQljMSkgbD1kIDs7CgkJZTEpIGw9RCA7OwoJCWMwKSBsPWUgOzsKCQllMCkg\nbD1FIDs7CgkJYzMpIGw9ZiA7OwoJCWUzKSBsPUYgOzsKCQljMikgbD1nIDs7CgkJZTIpIGw9RyA7\nOwoJCWNkKSBsPWggOzsKCQllZCkgbD1IIDs7CgkJY2MpIGw9aSA7OwoJCWVjKSBsPUkgOzsKCQlj\nZikgbD1qIDs7CgkJZWYpIGw9SiA7OwoJCWNlKSBsPWsgOzsKCQllZSkgbD1LIDs7CgkJYzkpIGw9\nbCA7OwoJCWU5KSBsPUwgOzsKCQljOCkgbD1tIDs7CgkJZTgpIGw9TSA7OwoJCWNiKSBsPW4gOzsK\nCQllYikgbD1OIDs7CgkJY2EpIGw9byA7OwoJCWRhKSBsPU8gOzsKCQlkNSkgbD1wIDs7CgkJZjUp\nIGw9UCA7OwoJCWQ0KSBsPXEgOzsKCQlmNCkgbD1RIDs7CgkJZDcpIGw9ciA7OwoJCWY3KSBsPVIg\nOzsKCQlkNikgbD1zIDs7CgkJZjYpIGw9UyA7OwoJCWQxKSBsPXQgOzsKCQlmMSkgbD1UIDs7CgkJ\nZDApIGw9dSA7OwoJCWYwKSBsPVUgOzsKCQlkMykgbD12IDs7CgkJZjMpIGw9ViA7OwoJCWQyKSBs\nPXcgOzsKCQlmMikgbD1XIDs7CgkJZGQpIGw9eCA7OwoJCWZkKSBsPVggOzsKCQlkYykgbD15IDs7\nCgkJZmMpIGw9WSA7OwoJCWRmKSBsPXogOzsKCQlmZikgbD1aIDs7CgoJCTk1KSBsPTAgOzsKCQk5\nNCkgbD0xIDs7CgkJOTcpIGw9MiA7OwoJCTk2KSBsPTMgOzsKCQk5MSkgbD00IDs7CgkJOTApIGw9\nNSA7OwoJCTkzKSBsPTYgOzsKCQk5MikgbD03IDs7CgkJOWQpIGw9OCA7OwoJCTljKSBsPTkgOzsK\nCQkqKSAgbD0/OzsKCWVzYWMKCWVjaG8gLW4gIiRsIjsKZG9uZQplY2hvICIiCg==\n\n=====================================================================\nCredits\n\nThis vulnerability was discovered and researched by Florent Daigniere from\n Matta Consulting. \n\nThank you to Paul Oxman and Matthew Cerha from the Cisco PSIRT for the\n coordination effort. \n\n=====================================================================\nHistory\n\n30-07-10 initial discovery\n05-08-10 our client has mitigated the risk for his infrastructure\n... \n23-08-10 initial attempt to contact the vendor\n23-08-10 sent pre-advisory to the vendor\n PSIRT on psirt@cisco.com using PGP id 0xCF14FEE0\n23-08-10 reply from the vendor, case PSIRT-0217563645 is open\n... \n21-09-10 agreement on the public disclosure date\n... \n08-11-10 planned disclosure date (missed), CVE assignments\n... \n17-11-10 public disclosure\n\n=====================================================================\nAbout Matta\n\nMatta is a privately held company with Headquarters in London, and a European\n office in Amsterdam. Established in 2001, Matta operates in Europe, Asia,\n the Middle East and North America using a respected team of senior\n consultants. Matta is an accredited provider of Tigerscheme training;\n conducts regular research and is the developer behind the webcheck\n application scanner, and colossus network scanner. \n\nhttp://www.trustmatta.com\nhttp://www.trustmatta.com/webapp_va.html\nhttp://www.trustmatta.com/network_va.html\n\n=====================================================================\nDisclaimer and Copyright\n\nCopyright (c) 2010 Matta Consulting Limited. All rights reserved. \nThis advisory may be distributed as long as its distribution is\n free-of-charge and proper credit is given. Matta Consulting disclaims all warranties, either\n express or implied, including the warranties of merchantability and fitness\n for a particular purpose. In no event shall Matta Consulting or its\n suppliers be liable for any damages whatsoever including direct, indirect,\n incidental, consequential, loss of business profits or special damages,\n even if Matta Consulting or its suppliers have been advised of the\n possibility of such damages. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nCisco Security Response: Multiple Vulnerabilities in Cisco Unified\nVideoconferencing Products\n\nhttp://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml\n\nRevision 1.0\n\nFor Public Release 2010 November 17 1600 UTC (GMT)\n\n+---------------------------------------------------------------------\n\nCisco Response\n==============\n\nThis is the Cisco Product Security Incident Response Team (PSIRT)\nresponse to a posting entitled \"Cisco Unified Videoconferencing\nmultiple vulnerabilities\" by Florent Daigniere of Matta Consulting\nregarding vulnerabilities in the Cisco Unified Videoconferencing\n(Cisco UVC) 5100 series products. \n\nThe original report is available at the following links:\n\nhttp://seclists.org/fulldisclosure/2010/Nov/167\n\nhttp://www.trustmatta.com/advisories/MATTA-2010-001.txt\n\nCisco would like to thank Florent Daigniere of Matta Consulting for\nreporting these vulnerabilities to us. Cisco greatly appreciate the\nopportunity to work with researchers on security vulnerabilities and\nwelcome the opportunity to review and assist in product reports. \n\nAll versions of system software prior to the first fixed, which is\nindicated in the Software Version and Fixes Table, are affected. \n\nTo view the version of system software that is currently running on\nCisco Unified Videoconferencing 5100 Series Products, access the\nCisco UVC device via the web GUI interface. On the status screen, the\n\"Software Version\" field below the \"Product Information\" section\nindicates the current system software. \n\nDetails for Reported Vulnerabilities\n====================================\n\nHard-Coded Credentials in Cisco UVC Products\n+-------------------------------------------\n\nThe Linux shell contains three hard-coded usernames and passwords. \nThe passwords cannot be changed, and the accounts cannot be deleted. \nAttackers could leverage these accounts to obtain remote access to a\ndevice by using permitted remote access protocols. \n\nThis vulnerability only affects Linux-based operating system Cisco\nUVC products. Exploitation of this\nvulnerability could result in a complete compromise of the device. \n\nThis vulnerability affects Linux-based operating system Cisco UVC\nproducts. It may also affect VxWorks-based Cisco UVC products. The passwords in this file are\nobfuscated using an easily reversible hashing scheme. Exploit code\nthat assists in recovering the passwords exists. \n\nThis vulnerability affects only Linux-based operating system Cisco\nUVC products. \n\nFTP Server Accessible by Default in Cisco UVC Products\n+-----------------------------------------------------\n\nThe FTP server is enabled by default on Cisco UVC systems. An\nattacker can leverage the FTP server to exploit other vulnerabilities\nin this Cisco Security Response. Authentication is required to log\ninto the device via the FTP server. \n\nFTP access to the device can be controlled via the \"Security mode\"\nfield of the Cisco UVC products web GUI. If the Security setting is\nconfigured as \"High\" or \"Maximum,\" the device will not accept FTP\nconnections. For further information, consult the Configuration Guide\nfor Cisco Unified Videoconferencing 5000 MCU Release 7.0 at the\nfollowing link:\n\nhttp://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479\n\nThis service misconfiguration affects both Linux-based operating\nsystem Cisco UVC products and VxWorks-based Cisco UVC products. \n\nShadow Password File has Read Permissions for All Users in Cisco UVC Products\n+----------------------------------------------------------------------------\n\nThe shadow password file should only be readable by the root account. \nAllowing read access to the shadow password file allows other users\nof the system with shell access to retrieve the shadow password file. \nAn authenticated user who has access to the Linux operating system\ndirectories, may be able to retrieve the shadow password file. \n\nThis service misconfiguration only affects Linux-based operating\nsystem Cisco UVC products. \n\nLock Down OpenSSH Configuration in Cisco UVC Products\n+----------------------------------------------------\n\nThe SSH server has a restricted shell, however the configuration of\nthe SSH server allows for X.11 forwarding and socks proxies to be\ncreated. \n\nThis service misconfiguration affects only Linux-based operating\nsystem Cisco UVC products. \n\nDaemon That Binds the Port of the Web Interface Runs as root in Cisco\nUVC Products\n\nIn the event that all attacker exploits a flaw in a script running\nwith root\u0027s permissions that allows them to write to files, gain\naccess to the system or cause a denial of service. \n\nThis service misconfiguration affects only Linux-based operating\nsystem Cisco UVC products. \n\nWeak Session IDs on the Web Interface in Cisco UVC Products\n+----------------------------------------------------------\n\nThe Cisco UVC web interface has session IDs that are incremented\nbased on a time counter. Having predictable session IDs, assists in\nthe hijacking of user sessions. \n\nThis vulnerability affects both Linux-based operating system Cisco\nUVC products and VxWorks-based Cisco UVC products. \n\nUsage of Cookies to Store Credentials in Cisco UVC Products\n+----------------------------------------------------------\n\nOn Linux-based Cisco UVC products, web interface credentials are\nstored in Base64 format in the cookie that is sent to a browser. On\nVxWorks-based Cisco UVC products, web interface credentials are\nstored in Base64 format or in clear text. \n\nThis vulnerability affects both Linux-based operating system Cisco\nUVC products and VxWorks-based Cisco UVC products. \n\nSoftware Versions and Fixes\n===========================\n\nWhen considering software upgrades, also consult\nhttp://www.cisco.com/go/psirt and any subsequent advisories to determine\nexposure and a complete upgrade solution. \n\nIn all cases, customers should exercise caution to be certain the\ndevices to be upgraded contain sufficient memory and that current\nhardware and software configurations will continue to be supported\nproperly by the new release. If the information is not clear, contact\nthe Cisco Technical Assistance Center (TAC) or your contracted\nmaintenance provider for assistance. \n\nAll Cisco UVC software versions prior to the first fixed software\nrelease, which is indicated in the following table, are affected by the\nassociated vulnerabilities. \n\nThis software table will be updated as software fixes become available. \n\n+---------------------------------------+\n| Linux Cisco UVC Operating System |\n| Versions |\n|---------------------------------------|\n| Product: | First Fixed |\n| | Release |\n|-------------------+-------------------|\n| | Currently no |\n| Cisco Unified | fixed code |\n| Videoconferencing | available. |\n| 5110 and 5115 | Contact your |\n| Systems | support |\n| | organization. |\n|---------------------------------------|\n| VxWorks Cisco UVC Operating System |\n| Versions |\n|---------------------------------------|\n| Product: | First Fixed |\n| | Release |\n|-------------------+-------------------|\n| | Currently no |\n| Cisco Unified | fixed code |\n| Videoconferencing | available. |\n| 5230 System: | Contact your |\n| | support |\n| | organization. |\n| 3545 System: | Contact your |\n| | support |\n| | organization. |\n| 3515 MCU: | Contact your |\n| | support |\n| | organization. |\n| 3522 BRI Gateway: | Contact your |\n| | support |\n| | organization. |\n| 3527 PRI Gateway: | Contact your |\n| | support |\n| | organization. |\n+---------------------------------------+\n\nWorkarounds\n===========\n\nThere are no workarounds for the vulnerabilities that are described in\nthis Cisco Security Response. \n\nAdministrators can mitigate these vulnerabilities by limiting access to\nCisco UVC web server to trusted hosts by disabling FTP, SSH, and Telnet\nservices and by setting the \"Security mode\" field in the \"Security\"\nsection of the Cisco UVC web GUI to \"Maximum.\" For further information,\nconsult the Configuration Guide for Cisco Unified Videoconferencing 5000\nMCU Release 7.0 at the following link:\n\nhttp://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479\n\n\nTHIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY\nANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF\nMERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE\nINFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS\nAT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS\nDOCUMENT AT ANY TIME. \n\nStatus of this Notice: INTERIM\n==============================\n\nTHIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY\nANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF\nMERCHANTABILITY OR FITNESS FOR A PARTICULAR USE.YOUR USE OF THE\nINFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS\nAT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS\nDOCUMENT AT ANY TIME.CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW\nINFORMATION BECOMES AVAILABLE. \n\nA stand-alone copy or Paraphrase of the text of this document that omits\nthe distribution URL in the following section is an uncontrolled copy,\nand may lack important information or contain factual errors. \n\nRevision History\n================\n\n+------------------------------------------------------------+\n| Revision 1.0 | 2010-November-17 | Initial public release. |\n+------------------------------------------------------------+\n\nCisco Security Procedures\n=========================\n\nComplete information on reporting security vulnerabilities in\nCisco products, obtaining assistance with security incidents, and\nregistering to receive security information from Cisco, is available\non Cisco\u0027s worldwide website at\nhttp://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. \nThis includes instructions for press inquiries regarding Cisco security\nnotices. All Cisco security advisories are available at\nhttp://www.cisco.com/go/psirt. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.10 (GNU/Linux)\n\niF4EAREIAAYFAkzj6GAACgkQQXnnBKKRMNBMtwEAhEp+BKb+iRvXhPCBw/SGJSjx\nmM5ljSrDefGSCtlhkawA/Ap85VdNrVcb3lVWb5rtXoqGbrqDnDozK6DGKejmQd8M\n=f751\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2010-3037"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-003011"
},
{
"db": "CNVD",
"id": "CNVD-2010-2843"
},
{
"db": "BID",
"id": "44922"
},
{
"db": "VULHUB",
"id": "VHN-45642"
},
{
"db": "PACKETSTORM",
"id": "95965"
},
{
"db": "PACKETSTORM",
"id": "95936"
},
{
"db": "PACKETSTORM",
"id": "95919"
}
],
"trust": 2.79
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-45642",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-45642"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2010-3037",
"trust": 3.6
},
{
"db": "BID",
"id": "44922",
"trust": 1.4
},
{
"db": "SECTRACK",
"id": "1024753",
"trust": 1.1
},
{
"db": "JVNDB",
"id": "JVNDB-2010-003011",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201011-208",
"trust": 0.7
},
{
"db": "SECUNIA",
"id": "42248",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2010-2843",
"trust": 0.6
},
{
"db": "FULLDISC",
"id": "20101117 CISCO UNIFIED VIDEOCONFERENCING MULTIPLE VULNERABILITIES - CVE-2010-3037 CVE-2010-3038",
"trust": 0.6
},
{
"db": "CISCO",
"id": "20101117 MULTIPLE VULNERABILITIES IN CISCO UNIFIED VIDEOCONFERENCING PRODUCTS",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "95936",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "95919",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-45642",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "95965",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-2843"
},
{
"db": "VULHUB",
"id": "VHN-45642"
},
{
"db": "BID",
"id": "44922"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-003011"
},
{
"db": "PACKETSTORM",
"id": "95965"
},
{
"db": "PACKETSTORM",
"id": "95936"
},
{
"db": "PACKETSTORM",
"id": "95919"
},
{
"db": "CNNVD",
"id": "CNNVD-201011-208"
},
{
"db": "NVD",
"id": "CVE-2010-3037"
}
]
},
"id": "VAR-201011-0226",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-2843"
},
{
"db": "VULHUB",
"id": "VHN-45642"
}
],
"trust": 1.3536231809090906
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-2843"
}
]
},
"last_update_date": "2025-04-11T22:54:09.149000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "cisco-sa-20101206-cuvc",
"trust": 0.8,
"url": "http://www.cisco.com/en/US/products/products_security_response09186a0080b56d0d.html"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-003011"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-94",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-45642"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-003011"
},
{
"db": "NVD",
"id": "CVE-2010-3037"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "http://www.trustmatta.com/advisories/matta-2010-001.txt"
},
{
"trust": 1.8,
"url": "http://seclists.org/fulldisclosure/2010/nov/167"
},
{
"trust": 1.7,
"url": "http://www.cisco.com/en/us/products/products_security_response09186a0080b56d0d.html"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/bid/44922"
},
{
"trust": 1.1,
"url": "http://www.securitytracker.com/id?1024753"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3037"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3037"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/514798http"
},
{
"trust": 0.6,
"url": "http://secunia.com/advisories/42248"
},
{
"trust": 0.5,
"url": "http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml"
},
{
"trust": 0.3,
"url": "http://www.cisco.com/en/us/products/hw/video/ps1870/index.html"
},
{
"trust": 0.3,
"url": "/archive/1/514797"
},
{
"trust": 0.3,
"url": "/archive/1/514798"
},
{
"trust": 0.3,
"url": "http://www.cisco.com/warp/public/707/cisco-sa-20101206-cuvc.shtml"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-3038"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-3037"
},
{
"trust": 0.1,
"url": "http://secunia.com/products/corporate/evm/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/42248/"
},
{
"trust": 0.1,
"url": "http://secunia.com/products/corporate/vim/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/42248/#comments"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/personal/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=42248"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt"
},
{
"trust": 0.1,
"url": "http://www.trustmatta.com"
},
{
"trust": 0.1,
"url": "http://www.trustmatta.com/network_va.html"
},
{
"trust": 0.1,
"url": "http://www.trustmatta.com/webapp_va.html"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/products/products_security_vulnerability_policy.html."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/go/psirt"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/go/psirt."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-2843"
},
{
"db": "VULHUB",
"id": "VHN-45642"
},
{
"db": "BID",
"id": "44922"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-003011"
},
{
"db": "PACKETSTORM",
"id": "95965"
},
{
"db": "PACKETSTORM",
"id": "95936"
},
{
"db": "PACKETSTORM",
"id": "95919"
},
{
"db": "CNNVD",
"id": "CNNVD-201011-208"
},
{
"db": "NVD",
"id": "CVE-2010-3037"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2010-2843"
},
{
"db": "VULHUB",
"id": "VHN-45642"
},
{
"db": "BID",
"id": "44922"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-003011"
},
{
"db": "PACKETSTORM",
"id": "95965"
},
{
"db": "PACKETSTORM",
"id": "95936"
},
{
"db": "PACKETSTORM",
"id": "95919"
},
{
"db": "CNNVD",
"id": "CNNVD-201011-208"
},
{
"db": "NVD",
"id": "CVE-2010-3037"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-11-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-2843"
},
{
"date": "2010-11-22T00:00:00",
"db": "VULHUB",
"id": "VHN-45642"
},
{
"date": "2010-11-17T00:00:00",
"db": "BID",
"id": "44922"
},
{
"date": "2012-03-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-003011"
},
{
"date": "2010-11-18T04:41:44",
"db": "PACKETSTORM",
"id": "95965"
},
{
"date": "2010-11-18T00:35:38",
"db": "PACKETSTORM",
"id": "95936"
},
{
"date": "2010-11-17T23:46:07",
"db": "PACKETSTORM",
"id": "95919"
},
{
"date": "2010-11-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201011-208"
},
{
"date": "2010-11-22T20:00:03.167000",
"db": "NVD",
"id": "CVE-2010-3037"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-11-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-2843"
},
{
"date": "2010-12-10T00:00:00",
"db": "VULHUB",
"id": "VHN-45642"
},
{
"date": "2010-12-06T19:55:00",
"db": "BID",
"id": "44922"
},
{
"date": "2012-03-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-003011"
},
{
"date": "2010-11-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201011-208"
},
{
"date": "2025-04-11T00:51:21.963000",
"db": "NVD",
"id": "CVE-2010-3037"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201011-208"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural Cisco UVC System Vulnerability to execute arbitrary commands in the product",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-003011"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201011-208"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.