Cisco Voice Products contain a flaw that may allow a malicious user to gain control of the server. The issue is caused by an insecure default installation of IBM Director. It is possible that the flaw may allow an attacker trivial access to administrative privileges resulting in a loss of confidentiality, integrity, and/or availability.

Unknown or Incomplete

The default installations of Cisco voice products on IBM servers will install IBM Director in unsecure state leaving TCP and UDP ports 14247 open. Any Director Server/Console agent can connect over port 14247 to gain administrative level control without requiring authentication.

The vulnerabilities are specific to Cisco voice products on IBM servers and all vulnerabilities listed in this advisory can be mitigated with the repair script without requiring an upgrade.

• Secunia Advisory ID: 10696
• ISS X-Force ID: 14900
• CVE ID: 2004-1760 (see also: NVD)
• Related OSVDB ID: 3691
• Bugtraq ID: 9468
• Other Advisory URL: http://archives.neohapsis.com/archives/cisco/2002-q1/0004.html
• Vendor Specific Advisory URL: http://www.cisco.com/warp/public/707/cisco-sa-20040121-voice.shtml
• CIAC Advisory: o-066

Unknown or Incomplete