Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Cisco TC Software Empty Password Validation Vulnerability

Cisco-SA-20130711-CVE-2013-3405 · Medium · Published · Updated

A vulnerability in the web portal of Cisco TelePresence endpoints running TC software could allow an unauthenticated, remote attacker to log in with any password. The vulnerability is due to a failure of the Cisco TelePresence endpoints to require an exact match for the password before the user has configured a password for the first time. An attacker could exploit this vulnerability by logging in with any password. Cisco has confirmed the vulnerability in a security notice and has released software updates. To exploit this vulnerability, an attacker may require access to trusted, internal networks to attempt to log in to the affected software. In addition, the attacker must have knowledge of a username for a user who has not yet configured a password. These requirements could limit the likelihood of a successful exploit. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Cisco advisory · CSAF JSON

Workarounds

Administrators are advised to apply the appropriate updates.

Administrators are advised to enforce strong passwords for local accounts.

Administrators are advised to allow only trusted users to have network access.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators are advised to monitor affected systems.

CVEsCVE-2013-3405
Cisco Bug IDsCSCud96071
CVSS ScoreBase 4.3
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C
Product Names From Source
Cisco TelePresence TC Software

Related Products

Product CVE Evidence
Cisco TelePresence TC Software CVE-2013-3405 Cisco OpenVuln
Cisco TelePresence CVE-2013-3405 Cisco OpenVuln