You are here

V-202: Cisco Video Surveillance Manager Bugs Let Remote Users Obtain Potentially Sensitive Information

July 25, 2013 - 2:52am

Addthis

PROBLEM:

A remote user can obtain potentially sensitive information and modify some configuration settings. A remote user can exploit this to create, modify, and remove camera feeds, archives, logs, and users.

PLATFORM:

Cisco Video Surveillance Manager 7.1, 7.5

ABSTRACT:

Two vulnerabilities were reported in Cisco Video Surveillance Manager

REFERENCE LINKS:

Security Tracker Alert ID:  1028827
CVE-2013-3429
CVE-2013-3430
CVE-2013-3431

IMPACT ASSESSMENT:

Medium

DISCUSSION:

The vulnerability is due to an access control error that occurred. The Cisco Video Surveillance Manager (VSM) allows operations managers and system integrators to build customized video surveillance networks to meet their needs. Cisco VSM provides centralized configuration, management, display, and control of video from Cisco and third-party surveillance endpoints. Multiple security vulnerabilities exist in versions of Cisco VSM prior to 7.0.0, which may allow an attacker to gain full administrative privileges on the system. When the attacker has full access it can supply a specially crafted URL to access sensitive system files. The attacker can access pages that do not require authentication, including configuration, monitoring pages archives, and system logs.

IMPACT:

A remote user can obtain potentially sensitive information.

SOLUTION:

The vendor has issued a fix (7.0.1)

 

Addthis