Products & Services

Vulnerable Products

Products Confirmed Not Vulnerable

Cisco Video Surveillance IP Gateway video encoders and decoders allow the video feeds of cameras to be sent over an IP network. This function provides an upgrade path for users to convert from existing analog surveillance systems. Cisco Video Surveillance Services Platforms and Integrated Services Platforms record and aggregate video feeds received from IP Gateways. Stored video can be viewed and manipulated using the Cisco Video Surveillance Stream Manager software.

• IP Gateway Encoder/Decoder Telnet Authentication Vulnerability:
  The Telnet server installed on Cisco Video Surveillance IP Gateway video encoders and decoders does not prompt for authentication. This may allow a remote user with network connectivity to gain interactive shell access with administrative privileges on vulnerable devices. This issue is documented in Cisco Bug ID CSCsj31729 ( registered customers only) .
  
• Services Platform/Integrated Services Platform Default Authentication Vulnerability:
  Cisco Video Surveillance Services Platform and Integrated Services Platform devices ship with default passwords for the sypixx and root user accounts. Users are not able to change these passwords due to application requirements. Users with knowledge of the default passwords may be able to gain interactive shell access with administrative privileges to vulnerable devices. This issue is documented in Cisco Bug ID CSCsj34681 ( registered customers only) .
  

Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.

Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerabilities in individual networks.

CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided a FAQ to answer additional questions regarding CVSS at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html .

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss .

Top of the section      Close Section

Successful exploitation of these vulnerabilities will result in the ability for a remote user to gain complete administrative access to vulnerable devices. An attacker with access to a vulnerable device may be able to view, alter, or delete video streams processed by the device, or cause a denial of service that may result in the loss of surveillance coverage.

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.

There are no workarounds for these vulnerabilities.

Filtering traffic to affected systems on screening devices can be used as a mitigation technique for both vulnerabilities. Access to the Telnet service (TCP port 23) on vulnerable devices should be restricted to authorized administration workstations.

There is currently no method to configure filtering directly on IP Gateway encoders and decoders or Services Platform devices.

Filters blocking access to TCP port 23 should be deployed at the network edge as part of a transit access list, which will protect the router where the access control list (ACL) is configured and also other devices behind it. Further information about transit access control lists is available in the white paper Transit Access Control Lists: Filtering at Your Edge, which is available at the following link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:

http://www.cisco.com/warp/public/707/cisco-amb-20070905-video.shtml

Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.

Customers with vulnerable devices should contact the Cisco TAC or their primary support organization to obtain fixed software and upgrade instructions.

Customers with Service Contracts

Customers using Third Party Support Organizations

Customers without Service Contracts

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

These vulnerabilities were internally discovered by Cisco.

This advisory is posted on Cisco's worldwide website at :

http://www.cisco.com/warp/public/707/cisco-sa-20070905-video.shtml

In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.

• cust-security-announce@cisco.com
  
• first-teams@first.org
  
• bugtraq@securityfocus.com
  
• vulnwatch@vulnwatch.org
  
• cisco@spot.colorado.edu
  
• cisco-nsp@puck.nether.net
  
• full-disclosure@lists.grok.org.uk
  
• comp.dcom.sys.cisco@newsgate.cisco.com
  

Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

Top of the section      Close Section

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.