__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Polycom Videoconferencing Remote Vulnerabilities [Internet Security Systems Security Advisory] September 10, 2002 19:00 GMT Number M-123 ______________________________________________________________________________ PROBLEM: Internet Security Systems (ISS) X-Force has discovered multiple vulnerabilities in the Polycom ViewStation videoconferencing products. The ViewStation devices are powered by a proprietary operating system that includes Web, Telnet, and FTP servers. AFFECTED Polycom ViewStation 128 version 7.2 and earlier VERSIONS: Polycom ViewStation H.323 version 7.2 and earlier Polycom ViewStation 512 version 7.2 and earlier Polycom ViewStation MP version 7.2 and earlier Polycom ViewStation DCP version 7.2 and earlier Polycom ViewStation V.35 version 7.2 and earlier Polycom ViewStation FX/VS 4000 version 4.1.5 and earlier DAMAGE: The Polycom ViewStation is configured by default with a null or empty password for the administrator account. The integrated Web and Telnet servers are vulnerable to multiple attacks including the Unicode directory traversal vulnerability. The Polycom ViewStation camera is vulnerable to various types of denial of service (DoS) attacks SOLUTION: X-Force recommends that all Polycom ViewStation users configure strong passwords on their devices and assess the general security of their devices. If possible, ViewStation devices should reside behind a firewall. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. X-Force recommends that all Polycom ASSESSMENT: ViewStation users configure strong passwords on their devices and assess the general security of their devices. If possible, ViewStation devices should reside behind a firewall. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-123.shtml ORIGINAL BULLETIN: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail. jsp?oid=21089 ______________________________________________________________________________ [***** Start Internet Security Systems Security Advisory *****] Internet Security Systems Security Advisory September 4, 2002 Multiple Remote Vulnerabilities in Polycom Videoconferencing Products Synopsis: Internet Security Systems (ISS) X-Force has discovered multiple vulnerabilities in the Polycom ViewStation videoconferencing products. The ViewStation devices are powered by a proprietary operating system that includes Web, Telnet, and FTP servers. Impact: The vulnerable ViewStation products are susceptible to multiple attacks that may allow individuals to gather information about the device, retrieve files, crash the device, or monitor videoconferences. Affected Versions: Polycom ViewStation 128 version 7.2 and earlier Polycom ViewStation H.323 version 7.2 and earlier Polycom ViewStation 512 version 7.2 and earlier Polycom ViewStation MP version 7.2 and earlier Polycom ViewStation DCP version 7.2 and earlier Polycom ViewStation V.35 version 7.2 and earlier Polycom ViewStation FX/VS 4000 version 4.1.5 and earlier Description: The Polycom ViewStation is configured by default with a null or empty password for the administrator account. Users are not prompted to supply a new administrator password during the installation process. This account allows users to configure and manage the device as well as establish videoconference links. This password for this account cannot be changed via the Web interface and can only be changed via the remote control. Documentation on how to configure a password is provided in the "Optional Configurations" section of the Polycom ViewStation User Guide. The integrated Web and Telnet servers are vulnerable to multiple attacks. By encoding Web requests in Unicode, attackers may retrieve information from the Web server without authenticating. Attackers can use this technique to retrieve the administrator password from a vulnerable ViewStation. Once this password is obtained, remote attackers can take control the device. This may allow unauthorized individuals to modify the system configuration, destroy information, and record or monitor video conferences. The Polycom ViewStation camera is vulnerable to various types of denial of service (DoS) attacks. The Telnet service may become unstable and crash when multiple connection attempts are made. The Telnet service allows an unlimited number of login attempts, which may expose it to a brute-force attack. Remote attackers may be able to cause the camera to crash by sending long or malformed ICMP packets. Recommendations: X-Force recommends that all Polycom ViewStation users configure strong passwords on their devices and assess the general security of their devices. If possible, ViewStation devices should reside behind a firewall. Internet Scanner X-Press Update 6.14 includes checks to assess the vulnerabilities described in this advisory. Detection support for these vulnerabilities was provided in XPU 20.2 for RealSecure Network Sensor. Internet Scanner XPU 6.14 and RealSecure Network Sensor 20.2 are available from the ISS Download Center at: http://www.iss.net/download. Polycom has released software version 4.2 for the Polycom ViewStation FX/VS4000. Polycom will be releasing a patch in September for the ViewStation and ViewStation SP products. The beta release of this patch is now available on the Polycom FTP site. Please refer to the Polycom Worldwide Resource Center for more information. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2002-0626 Null or empty password on ViewStation device CAN-2002-0627 Unicode directory traversal vulnerability CAN-2002-0628 ViewStation device telnet brute force attack CAN-2002-0629 ViewStation telnet DoS vulnerability CAN-2002-0630 ViewStation ICMP DoS vulnerability Polycom Worldwide Resource Center http://www.polycom.com/resource_center X-Force Database http://www.iss.net/security_center/static/9347.php http://www.iss.net/security_center/static/9348.php Credits: This vulnerability was discovered and researched by Jeff Horne of the ISS X-Force. ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email xforce@iss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. [***** End Internet Security Systems Security Advisory *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of ISS X-Force for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-113: Microsoft Network Connection Manager (NCM) Flaw M-114: Apache 2.0 Path Disclosure Vulnerability M-115: Novell NetWare 6.0 RConsoleJ Authentication Bypass Vulnerability M-116: Microsoft Cumulative Patch for Internet Explorer M-117: Microsoft Office Web Components Vulnerabilities M-118: HP Tru64 Unix Multiple Vulnerabilities M-119: Cisco VPN 3000 Concentrator Multiple Vulnerabilities M-120: Microsoft Visual FoxPro 6.0 Vulnerability M-121: Microsoft Certificate Validation Vulnerability M-122: Remotely Exploitable Buffer Overflow in PGP