Latest Telepresence and Visual Collaboration News:
Remotely Exploitable Bug Affects Wide Range Of Cisco Telepresence Systems
There's a serious vulnerability in Cisco's popular TelePresence system that could give an attacker complete control of the affected system. The vulnerability affects a broad range of TelePresence models, although there are workarounds available.
The vulnerability results from the fact that there are default credentials set up in the TelePresence systems. If a user account is created with the default credentials, an attacker would be able to exploit the bug and gain complete control of the Web server on which the system is running. Cisco has not yet made available patched versions of the TelePresence software.
"The vulnerability is due to a default user account being created at installation time. An attacker could exploit this vulnerability by remotely accessing the web server and using the default account credentials. An exploit could allow the attacker to log in with the default credentials, which gives them full administrative rights to the system," Cisco said in its advisory.
"Cisco TelePresence System Software includes a password recovery administrator account that is enabled by default. Successful exploitation of this vulnerability could allow a remote attacker to use these default credentials to modify the system configuration and settings and take full control of the affected system. An attacker could use this account to modify the system configuration and settings via an HTTPS session."
TelePresence is Cisco's video and audio conferencing system that is designed to mimic the experience of being in the same room with the other participants. Cisco TelePresence System Series 500, 13X0, 1X00, 3X00, and 30X0 running CiscoTelePresence System Software Releases 1.10.1 and prior; and Cisco TelePresence TX 9X00 Series running Cisco TelePresence System Software Releases 6.0.3 and prior are affected by this flaw.
Add New Comment
Telepresence Options welcomes your comments! You may comment using your name and email (which will not be displayed), or you may connect with your Twitter, Facebook, Google+, or DISQUS account.
See what happens when YouTube and TPO come together at the Telepresence Options YouTube Channel.