<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.6944.0">
<TITLE>Re: [cisco-voip] FW: [c-nsp] Cisco Security Advisory: Cisco UnityIntegrated withExchange Has Default Passwords </TITLE>
</HEAD>
<BODY>
<DIV id=idOWAReplyText69014 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>If I remember right, the
install guide suggests you harden the passwords during the
installation.</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> cisco-voip-bounces@puck.nether.net on
behalf of Ryan Ratliff<BR><B>Sent:</B> Wed 12/15/2004 2:15 PM<BR><B>To:</B>
Voll, Scott<BR><B>Cc:</B> cisco-voip@puck.nether.net<BR><B>Subject:</B> Re:
[cisco-voip] FW: [c-nsp] Cisco Security Advisory: Cisco UnityIntegrated
withExchange Has Default Passwords <BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>Looks like you can disable them or just give them a good
password. <BR>Definitely don't delete them if you like Unity to
run.<BR><BR>-Ryan<BR>On Dec 15, 2004, at 1:01 PM, Voll, Scott wrote:<BR><BR>>
Did everyone see this?<BR>><BR>> I'm I to understand that I can just
disable all the accounts as my<BR>> workaround?<BR>><BR>>
Scott<BR>><BR>> -----Original Message-----<BR>> From:
cisco-nsp-bounces@puck.nether.net<BR>> [<A
href="mailto:cisco-nsp-bounces@puck.nether.net">mailto:cisco-nsp-bounces@puck.nether.net</A>]
On Behalf Of Cisco Systems<BR>> Product Security Incident Response
Team<BR>> Sent: Wednesday, December 15, 2004 8:45 AM<BR>> To:
cisco-nsp@puck.nether.net<BR>> Cc: psirt@cisco.com<BR>> Subject: [c-nsp]
Cisco Security Advisory: Cisco Unity Integrated<BR>> withExchange Has Default
Passwords<BR>><BR>> -----BEGIN PGP SIGNED MESSAGE-----<BR>> Hash:
SHA1<BR>><BR>><BR>>
=================================================================<BR>> Cisco
Security Advisory: Cisco Unity Integrated with Exchange Has<BR>> Default
Passwords<BR>>
=================================================================<BR>><BR>>
Revision 1.0: FINAL<BR>><BR>> For Public Release 2004 December 15 1600 UTC
(GMT)<BR>><BR>>
+----------------------------------------------------------------------<BR>><BR>>
Contents<BR>> ========<BR>><BR>>
Summary<BR>> Affected
Products<BR>> Details<BR>>
Impact<BR>> Software Versions and
Fixes<BR>> Obtaining Fixed
Software<BR>>
Workarounds<BR>> Exploitation and Public
Announcements<BR>> Status of This Notice:
FINAL<BR>>
Distribution<BR>> Revision
History<BR>> Cisco Security
Procedures<BR>><BR>>
+----------------------------------------------------------------------<BR>><BR>>
Summary<BR>> =======<BR>><BR>> Several default username/password
combinations are present in all<BR>> available releases of Cisco Unity when
integrated with Microsoft<BR>> Exchange. The accounts include a privileged
administrative account, as<BR>> well as several messaging accounts used for
integration with other<BR>> systems. An unauthorized user may be able to use
these default accounts<BR>> to read incoming and outgoing messages, and
perform administrative<BR>> functions on the Unity system.<BR>><BR>>
This vulnerability is documented in the Cisco Bug Toolkit as Bug ID<BR>>
CSCeg08552<BR>><BR>> This advisory is available at<BR>> <A
href="http://www.cisco.com/warp/public/707/cisco-sa-20041215-unity.shtml">http://www.cisco.com/warp/public/707/cisco-sa-20041215-unity.shtml</A><BR>><BR>>
Affected Products<BR>> =================<BR>><BR>> Vulnerable
Products<BR>> +------------------<BR>><BR>> Cisco Unity versions 2.x,
3.x, and 4.x when integrated with Microsoft<BR>> Exchange.<BR>><BR>>
Products Confirmed Not Vulnerable<BR>>
+--------------------------------<BR>><BR>> The following products are
confirmed not vulnerable:<BR>><BR>> * Any version of Cisco
Unity when integrated with Lotus Notes<BR>> * Cisco Unity
Express<BR>> * Cisco CallManager and CallManager
Express<BR>> * Cisco MeetingPlace<BR>><BR>> No other Cisco
products are currently known to create these specific<BR>> default
account/passwords.<BR>><BR>> Details<BR>> =======<BR>><BR>> Cisco
Unity is a communications solution which delivers unified<BR>> messaging
(e-mail, voice, and fax messages sent to one inbox) and<BR>> intelligent
voice messaging. Cisco Unity integrates with desktop<BR>> applications such
as Microsoft Outlook and Lotus Notes.<BR>><BR>> Several default
username/password combinations are present in all<BR>> releases Cisco Unity
when integrated with Microsoft Exchange.<BR>><BR>> An unauthorized user
may be able to use these default accounts to read<BR>> incoming and outgoing
messages, or to perform administrative functions<BR>> on the Unity
system.<BR>><BR>> The specified accounts with default passwords
are:<BR>><BR>> EAdmin<systemid><BR>>
UNITY_<servername><BR>> UAMIS_<servername><BR>>
UOMNI_<servername><BR>> UVPIM_<servername><BR>>
ESubsubscriber<BR>><BR>> This vulnerability is documented in the Cisco Bug
Toolkit as Bug ID<BR>> CSCeg08552<BR>><BR>> Impact<BR>>
======<BR>><BR>> An unauthorized user may utilize EAdmin<systemid>
to access the Cisco<BR>> Unity Administrator in order to create, edit, or
delete classes of<BR>> service, restriction tables, call routing tables, call
handlers,<BR>> schedules and holidays, subscribers, public distribution
lists, or to<BR>> perform other administrative functions.<BR>><BR>> An
unauthorized user may utilize UNITY_<servername>, <BR>>
UAMIS_<servername>,<BR>> UOMNI_<servername>, or
UVPIM_<servername> to read<BR>> incoming and outgoing messages as they
are passed to and from external<BR>> voicemail systems. Please note that
local messages which do not pass to<BR>> non-Unity voicemail systems are not
made visible by this vulnerability.<BR>><BR>> ESubscriber is an example
user account that conveys no administrative<BR>> or other special abilities.
However it is contrary to best security<BR>> practices to have unused
accounts with default passwords.<BR>><BR>> Software Versions and
Fixes<BR>> ===========================<BR>><BR>> Cisco Unity 4.0(5),
which is scheduled for released in the first<BR>> quarter of the calendar
year 2005, will contain the fix for this issue<BR>> for NEW INSTALLS
ONLY.<BR>><BR>> Note: An upgrade to Cisco Unity 4.0(5) from any previous
version will<BR>> still contain this vulnerability. Customers upgrading to
version 4.0(5)<BR>> from any previous version must apply the workaround
listed below to<BR>> eliminate the vulnerability.<BR>><BR>> Obtaining
Fixed Software<BR>> ========================<BR>><BR>> As the fix for
this vulnerability is a default configuration change,<BR>> and a workaround
is available, a software upgrade is not required to<BR>> address this
vulnerability. However, if you have a service contract,<BR>> and wish to
upgrade to unaffected code, you may obtain upgraded<BR>> software through
your regular update channels once that software is<BR>> available. For most
customers, this means that upgrades should be<BR>> obtained through the
Software Center on Cisco's Worldwide Web site at<BR>> <A
href="http://www.cisco.com/">http://www.cisco.com/</A><BR>><BR>> If you
need assistance with the implementation of the workarounds, or<BR>> have
questions on the workarounds, please contact the Cisco Technical<BR>>
Assistance Center (TAC).<BR>><BR>> * +1 800 553 2447 (toll
free from within North America)<BR>> * +1 408 526 7209 (toll call
from anywhere in the world)<BR>> * e-mail:
tac@cisco.com<BR>><BR>> See <A
href="http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml">http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml</A>
for<BR>> additional TAC contact information, including special
localized<BR>> telephone numbers and instructions and e-mail addresses for
use in<BR>> various languages.<BR>><BR>> Customers may only install and
expect support for the feature sets they<BR>> have purchased. By installing,
downloading, accessing or otherwise<BR>> using such software upgrades,
customers agree to be bound by the terms<BR>> of Cisco's software license
terms found at<BR>> <A
href="http://www.cisco.com/public/sw-license-agreement.html">http://www.cisco.com/public/sw-license-agreement.html</A>,<BR>>
or as otherwise set forth at Cisco.com<BR>> Downloads at <A
href="http://www.cisco.com/public/sw-center/sw-usingswc.shtml">http://www.cisco.com/public/sw-center/sw-usingswc.shtml</A><BR>><BR>>
Workarounds<BR>> ===========<BR>><BR>> It is recommended to change to a
strong password for all accounts<BR>> created by Cisco Unity.<BR>><BR>>
The accounts that are created automatically when Cisco Unity is<BR>>
integrated with Microsoft Exchange are: (replacing <servername>
with<BR>> that of the particular Unity server, and <systemid> with that
of your<BR>> particular system id)<BR>><BR>>
EAdmin<systemid><BR>> Unity_<servername><BR>>
UAMIS_<servername><BR>> UOMNI_<servername><BR>>
UVPIM_<servername><BR>> ESubscriber<BR>><BR>> Note: Please note
that the account ESubscriber is only created during<BR>> installation of
versions PRIOR to version 4.0(3). If your initial<BR>> installation of Unity
was 4.0(3) or later, Esubscriber will not be<BR>> present.<BR>><BR>>
See<BR>> <A
href="http://cisco.com/en/US/products/sw/voicesw/ps2237/">http://cisco.com/en/US/products/sw/voicesw/ps2237/</A><BR>>
products_tech_note0918<BR>> 6a0080093f54.shtml<BR>> for additional
information on how to change account passwords.<BR>><BR>> For guidance on
strong passwords, please refer to your security policy.<BR>><BR>> The CERT
Coordination Center also has suggestions on strong password<BR>> policy
at<BR>> <A
href="http://www.cert.org/tech_tips/unix_configuration_guidelines.html#A">http://www.cert.org/tech_tips/unix_configuration_guidelines.html#A</A><BR>><BR>>
Optionally, a customer may disable (but not delete), these specific<BR>>
accounts for extra security. Beginning with version 4.0(5) of Cisco<BR>>
Unity, these specific accounts will be created in a disabled state. For<BR>>
additional instructions on how to disable these accounts, please see<BR>> <A
href="http://www.microsoft.com/windows2000/en/advanced/help/default.asp">http://www.microsoft.com/windows2000/en/advanced/help/default.asp</A>?<BR>>
url=/w<BR>>
indows2000/en/advanced/help/dsadmin_disable_andenable_accounts.htm<BR>><BR>><BR>>
With the exception of ESubscriber, it is important to NOT delete any of<BR>>
the accounts listed above. Deletion of EAdmin<systemid>,<BR>>
Unity_<servername>,<BR>> UAMIS_<servername>,
UOMIN_<server>, or UPVIM_<servername> will have an<BR>> adverse
affect on Cisco Unity operation.<BR>><BR>> No interruption of service, nor
restart of Cisco Unity is required to<BR>> apply this
workarouund.<BR>><BR>> Exploitation and Public Announcements<BR>>
=====================================<BR>><BR>> The Cisco PSIRT is not
aware of any public announcements or malicious<BR>> use of the vulnerability
described in this advisory.<BR>><BR>> This vulnerability was discovered
during internal Cisco security<BR>> review.<BR>><BR>> Status of This
Notice: FINAL<BR>> ============================<BR>><BR>> THIS ADVISORY
IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY<BR>> KIND OF GUARANTEE
OR WARRANTY. YOUR USE OF THE INFORMATION ON THE<BR>> ADVISORY OR MATERIALS
LINKED FROM THE ADVISORY IS AT YOUR OWN RISK.<BR>> CISCO RESERVES THE RIGHT
TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME.<BR>><BR>>
Distribution<BR>> ============<BR>><BR>> This advisory will be posted
on Cisco's worldwide website at<BR>> <A
href="http://www.cisco.com/warp/public/707/cisco-sa-20041215-unity.shtml">http://www.cisco.com/warp/public/707/cisco-sa-20041215-unity.shtml</A><BR>><BR>>
In addition to worldwide web posting, a text version of this notice is<BR>>
clear-signed with the Cisco PSIRT PGP key and is posted to the<BR>> following
e-mail and Usenet news recipients.<BR>><BR>> *
cust-security-announce@cisco.com<BR>> * first-teams@first.org
(includes CERT/CC)<BR>> *
bugtraq@securityfocus.com<BR>> *
vulnwatch@vulnwatch.org<BR>> *
cisco@spot.colorado.edu<BR>> *
cisco-nsp@puck.nether.net<BR>> *
full-disclosure@lists.netsys.com<BR>> *
comp.dcom.sys.cisco@newsgate.cisco.com<BR>><BR>> Future updates of this
advisory, if any, will be placed on Cisco's<BR>> worldwide website, but may
or may not be actively announced on mailing<BR>> lists or newsgroups. Users
concerned about this problem are encouraged<BR>> to check the above URL for
any updates.<BR>><BR>> Revision History<BR>>
================<BR>><BR>>
+----------------------------------------+<BR>> | Revision
|
| Initial |<BR>> | 1.0 | 2004-December-15
| public |<BR>>
|
|
| release. |<BR>> +----------------------------------------+<BR>><BR>>
Cisco Security Procedures<BR>> =========================<BR>><BR>>
Complete information on reporting security vulnerabilities in Cisco<BR>>
products, obtaining assistance with security incidents, and registering<BR>>
to receive security information from Cisco, is available on Cisco's<BR>>
worldwide website at<BR>> <A
href="http://www.cisco.com/en/US/products/">http://www.cisco.com/en/US/products/</A><BR>>
products_security_vulnerability_poli<BR>> cy.html.<BR>> This includes
instructions for press inquiries regarding Cisco security<BR>> notices. All
Cisco security advisories are available at<BR>> <A
href="http://www.cisco.com/go/psirt">http://www.cisco.com/go/psirt</A>.<BR>><BR>>
+----------------------------------------------------------------------<BR>>
-----BEGIN PGP SIGNATURE-----<BR>> Version: GnuPG v1.2.3
(SunOS)<BR>><BR>>
iD8DBQFBwHQsezGozzK2tZARAigAAKD8pWNdDUUoqSWRng3Enbx3iWa/NACgvoVZ<BR>>
6ocoHWF8pvKgoS4bXQDL4IU=<BR>> =RlrU<BR>> -----END PGP
SIGNATURE-----<BR>> _______________________________________________<BR>>
cisco-nsp mailing list cisco-nsp@puck.nether.net<BR>> <A
href="https://puck.nether.net/mailman/listinfo/cisco-nsp">https://puck.nether.net/mailman/listinfo/cisco-nsp</A><BR>>
archive at <A
href="http://puck.nether.net/pipermail/cisco-nsp/">http://puck.nether.net/pipermail/cisco-nsp/</A><BR>><BR>>
_______________________________________________<BR>> cisco-voip mailing
list<BR>> cisco-voip@puck.nether.net<BR>> <A
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</A><BR>><BR><BR>_______________________________________________<BR>cisco-voip
mailing list<BR>cisco-voip@puck.nether.net<BR><A
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</A><BR></FONT></P></DIV>
</BODY>
</HTML>