Workarounds exist to mitigate this vulnerability.
For customers using Cisco TelePresence codecs registered with Cisco Unified Communications Manager (Unified CM), the following workaround exists:
1. Proceed to Cisco Unified CM Administration and select Device > Phone, search and select the configured Cisco TelePresence unit.
2. Under the Secure Shell Information (ssh), change the ssh helpdesk user name from the default helpdesk to pwrecovery, and then choose an alternate password.
This will overwrite the pwrecovery account stored on the Cisco TelePresence unit, and permit changing the password from the default to one created by the Cisco Unfied CM administrator.
Note: Password recovery will continue to function through ssh as designed, but the user is required to have physical access to the Cisco TelePresence unit in order to execute a recovery. The ssh access will have to use the updated password information for the pwrecovery account.
3. Reboot the Cisco TelePresence codec to download the updated Cisco Unified CM configuration.
This workaround is persistent because the codec downloads the configuration after every reboot.
As a result, the GUI access would require a user to know either the administrator or newly configured pwrecovery credentials as configured in Cisco Unified CM. Default pwrecovery credentials will cease to function.
For customers with non-Cisco Unified CM registered Cisco TelePresence codecs, the workaround requires manual intervention on the affected system. Please contact the Cisco Technical Assistance Center (TAC) for instructions on how to implement this workaround.