Authentication Bypass in Cisco Unity

An article by Fabio Semperboni    No Comments

(No Ratings Yet)

A vulnerability exists in Cisco Unity that could allow an unauthenticated user to view or modify some of the configuration parameters of the Cisco Unity server. Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available.

Vulnerable Products
All Cisco Unity versions, 4.x, 5.x and 7.x, may be affected by this vulnerability.

Details
Cisco Unity servers may be affected by an authentication bypass when they are configured for anonymous authentication. Anonymous authentication is used when Cisco Unity servers are authenticated to the subscriber instead of Microsoft Windows (Integrated Windows authentication). By default, Cisco Unity is configured so that the administrator uses the Integrated Windows authentication method for authentication.

Details on authentication mechanisms can be found in the Installation Guide for Cisco Unity in the Authentication Methods Available for the Cisco Unity Administrator section.

This authentication bypass vulnerability allows an unauthenticated user the ability to view or modify some system configuration parameters. No credentials, personally identifiable, or user information can be obtained through exploitation of this vulnerability.

Impact
Successful exploitation of the vulnerability may result in an unauthenticated user viewing or altering some configuration parameters of the Cisco Unity server.

More info on http://www.cisco.com/warp/public/707/cisco-sa-20081008-unity.shtml