Internet Security Systems Security Advisory September 4, 2002 Multiple Remote Vulnerabilities in Polycom Videoconferencing Products Synopsis: Internet Security Systems (ISS) X-Force has discovered multiple vulnerabilities in the Polycom ViewStation videoconferencing products. The ViewStation devices are powered by a proprietary operating system that includes Web, Telnet, and FTP servers. Impact: The vulnerable ViewStation products are susceptible to multiple attacks that may allow individuals to gather information about the device, retrieve files, crash the device, or monitor videoconferences. Affected Versions: Polycom ViewStation 128 version 7.2 and earlier Polycom ViewStation H.323 version 7.2 and earlier Polycom ViewStation 512 version 7.2 and earlier Polycom ViewStation MP version 7.2 and earlier Polycom ViewStation DCP version 7.2 and earlier Polycom ViewStation V.35 version 7.2 and earlier Polycom ViewStation FX/VS 4000 version 4.1.5 and earlier Description: The Polycom ViewStation is configured by default with a null or empty password for the administrator account. Users are not prompted to supply a new administrator password during the installation process. This account allows users to configure and manage the device as well as establish videoconference links. This password for this account cannot be changed via the Web interface and can only be changed via the remote control. Documentation on how to configure a password is provided in the "Optional Configurations" section of the Polycom ViewStation User Guide. The integrated Web and Telnet servers are vulnerable to multiple attacks. By encoding Web requests in Unicode, attackers may retrieve information from the Web server without authenticating. Attackers can use this technique to retrieve the administrator password from a vulnerable ViewStation. Once this password is obtained, remote attackers can take control the device. This may allow unauthorized individuals to modify the system configuration, destroy information, and record or monitor video conferences. The Polycom ViewStation camera is vulnerable to various types of denial of service (DoS) attacks. The Telnet service may become unstable and crash when multiple connection attempts are made. The Telnet service allows an unlimited number of login attempts, which may expose it to a brute-force attack. Remote attackers may be able to cause the camera to crash by sending long or malformed ICMP packets. Recommendations: X-Force recommends that all Polycom ViewStation users configure strong passwords on their devices and assess the general security of their devices. If possible, ViewStation devices should reside behind a firewall. Internet Scanner X-Press Update 6.14 includes checks to assess the vulnerabilities described in this advisory. Detection support for these vulnerabilities was provided in XPU 20.2 for RealSecure Network Sensor. Internet Scanner XPU 6.14 and RealSecure Network Sensor 20.2 are available from the ISS Download Center at: http://www.iss.net/download. Polycom has released software version 4.2 for the Polycom ViewStation FX/VS4000. Polycom will be releasing a patch in September for the ViewStation and ViewStation SP products. The beta release of this patch is now available on the Polycom FTP site. Please refer to the Polycom Worldwide Resource Center for more information. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2002-0626 Null or empty password on ViewStation device CAN-2002-0627 Unicode directory traversal vulnerability CAN-2002-0628 ViewStation device telnet brute force attack CAN-2002-0629 ViewStation telnet DoS vulnerability CAN-2002-0630 ViewStation ICMP DoS vulnerability Polycom Worldwide Resource Center http://www.polycom.com/resource_center X-Force Database http://www.iss.net/security_center/static/9347.php http://www.iss.net/security_center/static/9348.php Credits: This vulnerability was discovered and researched by Jeff Horne of the ISS X-Force. ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email xforce@iss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc.