Cisco CVCO/4k Remote Username and Password Retrieval Vulnerability

A vulnerability exists in the Cisco Virtual Central Office 4000 (VCO/4K) programmable voice switch running software versions 5.13 and earlier.

The usernames and passwords for the device's SNMP administration interface are protected by a simple substitution cipher which can be easily defeated. As a result, if the "encrypted" passwords are retrieved, (for example, through the read-only community string) an attacker can obtain a list of valid usernames and passwords potentially allowing an elevation of privileges and possibly more serious consequences.


 

Privacy Statement
Copyright 2010, SecurityFocus