- The Cisco Video Surveillance Manager (VSM) allows operations managers and system integrators to build customized video surveillance networks to meet their needs. Cisco VSM provides centralized configuration, management, display, and control of video from Cisco and third-party surveillance endpoints. Multiple security vulnerabilities exist in versions of Cisco VSM prior to 7.0.0, which may allow an attacker to gain full administrative privileges on the system.
More information on Cisco VSM can be found at http://www.cisco.com/en/US/products/ps10818/index.html.
Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm
- Cisco VSM is affected by the following classification vulnerabilities:
- Information Disclosure Through Directory Traversal
Cisco VSM does not properly validate user input to a number of pages, which may be used to gain access to sensitive system files. An unauthenticated, remote attacker may use a crafted URL to access sensitive system files. This vulnerability is documented in Cisco bug ID: CSCsv37163 (registered customers only) and has been assigned the Common Vulnerabilities Enumerator (CVE) ID: CVE-2013-3429.
Insufficient Authentication to Sensitive Information
Cisco VSM does not require authentication to access potentially sensitive information such as configuration, monitoring pages archives, and system logs. An unauthenticated, remote attacker may exploit these vulnerabilities to create, modify and remove camera feeds, archives, logs and users. These vulnerabilities are documented in Cisco bug IDs: CSCsv37288(registered customers only) and CSCsv40169 (registered customers only) and has been assigned the CVE IDs: CVE-2013-3430 and CVE-2013-3431.
- The vulnerabilities described in this document can be mitigated or remediated by following the suggestions in the guide Securing Cisco Video Surveillance Manager Release 6.x: Best Practices and Recommendations and removing the Broadware sample code.
The Broadware package name differs by the version of Cisco VSM and can be removed by issuing the command:
The following example shows Cisco VSM software version 6.3.2(20) with the removal command:rpm -e [package.rpm]
# rpm -qa | grep -i Cisco_VSBWT Cisco_VSBWT-6.3.2-20 # rpm -e Cisco_VSBWT-6.3.2-20
- Customers are encouraged to follow the suggestions in the Securing Cisco Video Surveillance Manager Release 6.x: Best Practices and Recommendations or upgrade to Cisco VSM version 7.0.1.
Cisco VSM 7.0 and Cisco VSM 7.0.1 releases are available to replace previous versions of Cisco VSM. Contact your Cisco representative for more information on how to obtain VSM 7.0 or 7.0.1 software and for assistance in updating from previous versions of Cisco VSM. When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
- Several of these vulnerabilities were reported on the Bugtraq mailing list on March 13, 2013, by Basem Saleh and are available at http://www.securityfocus.com/archive/1/525984/30/0/threaded.
Revision 1.0 2013-July-24 Initial public release
- THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.
source : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm
Comments
Post a Comment