-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Security Advisory: Cisco Personal Assistant User Password Bypass
Vulnerability

Document ID: 47765

Revision 1.0 FINAL

For Public Release 2004 January 8 17:00 UTC (GMT)

- -----------------------------------------------------------------------

Contents
========

    Summary
    Affected Products
    Details
    Impact
    Software Versions and Fixes
    Obtaining Fixed Software
    Workarounds
    Exploitation and Public Announcements
    Status of This Notice: FINAL
    Distribution
    Revision History
    Cisco Security Procedures

- -----------------------------------------------------------------------

Summary
=======

Cisco Personal Assistant may permit unauthorized access to user
configuration via the web interface. Once access is granted, user
preferences and configuration can be manipulated.

There is a workaround available and a software upgrade is not required
to remove the vulnerability.

This issue is documented in Cisco Bug ID CSCec87825.

This advisory is available at 

http://www.cisco.com/warp/public/707/cisco-sa-20040108-pa.shtml

Affected Products
=================

Cisco Personal Assistant versions 1.4(1) and 1.4(2) only are affected.
Cisco Personal Assistant versions 1.3(x) and prior are not affected.

No other Cisco products are affected by this vulnerability.

To verify the version of Personal Assistant you are running, perform
the following steps.

 1. Log in to Personal Assistant through the web interface.
   
 2. Browse to Help -> About Cisco Personal Assistant.
   
 3. Click the Details button and a window appears with the full version
    number.
   
Details
=======

Cisco Personal Assistant is a Microsoft Windows 2000 based application
and is part of the AVVID solution. For more information on Personal
Assistant, see:

http://www.cisco.com/en/US/partner/products/sw/voicesw/ps2026/index.html

This vulnerability is only present if both of the following conditions
are met:

  * The Personal Assistant administrator has checked the "Allow Only
    Cisco CallManager Users" box through System -> Miscellaneous
    Settings.
   
  * The Personal Assistant Corporate Directory settings refer to the
    same directory service that is used by Cisco CallManager.
   
If both of the above criteria are met, then password authentication to
Personal Assistant user configuration is disabled. This allows anyone
to enter a valid User ID with any password and the user will be
authorized to make configuration changes to that account.

The default setting for Personal Assistant is that the "Allow Only
Cisco CallManager Users" box is unchecked.

Users access Personal Assistant by browsing to the address 

http://x.x.x.x/pauseradmin 

where x.x.x.x is the IP address or hostname of the Personal Assistant
server.

This vulnerability does not affect access to Personal Assistant through
the telephony interface. Users access the telephony interface by
dialing the Personal Assistant extension. Personal Assistant uses the
user's CallManager Extension Mobility PIN or the Unity Subscriber Phone
Password to authenticate users through the telephony interface.

This vulnerability is documented as Cisco bug ID CSCec87825

Impact
======

This bug permits unauthorized configuration access to users' Personal
Assistant settings. This vulnerability does not affect the system
configuration of the Personal Assistant application.

An attacker can modify the settings of a user, which can include
modifying call routing to redirect calls for purposes of impersonation,
or forwarding the user's number to a toll number, incurring charges.

Software Versions and Fixes
===========================

All vulnerabilities listed in this advisory can be removed through
configuration of the Personal Assistant server. No software update is
required.

Obtaining Fixed Software
========================

As the fix for this vulnerability is a configuration change, a software
upgrade is not required to address this vulnerability.

If you need assistance with the implementation of the fix, or have
questions regarding the fix, please contact the Cisco Technical
Assistance Center (TAC).

Cisco TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
   
  * +1 408 526 7209 (toll call from anywhere in the world)
   
  * e-mail: tac@cisco.com
   
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.

Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

Workarounds
===========

This vulnerability can be removed by de-selecting the checkbox "Allow
Only Cisco CallManager Users" on the System -> Miscellaneous Settings
page of the Personal Assistant Administration site.

This workaround will have no effect on the behavior of the Personal
Assistant as CallManager and Personal Assistant must be configured to
use the same directory for this vulnerability to be present.
Configuring "Allow Only CallManager Users" while having Personal
Assistant and CallManager using the same directory is technically
redundant.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

Status of This Notice: FINAL
============================

This is a final notice. Although Cisco cannot guarantee the accuracy of
all statements in this notice, all of the facts have been checked to
the best of our ability. Cisco does not anticipate issuing updated
versions of this advisory unless there is some material change in the
facts. Should there be a significant change in the facts, Cisco will
update this advisory.

Distribution
============

This advisory will be posted on Cisco's worldwide website at 

http://www.cisco.com/warp/public/707/cisco-sa-20040108-pa.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce@cisco.com
   
  * bugtraq@securityfocus.com
   
  * first-teams@first.org (includes CERT/CC)
   
  * cisco@spot.colorado.edu
   
  * comp.dcom.sys.cisco
   
  * firewalls@lists.gnac.com
   
  * Various internal Cisco mailing lists
   
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+----------------------------------------+
| Revision |                  | Initial  |
| 1.0      | 08-Jannuary-2004 | Public   |
|          |                  | Release  |
+----------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at http://www.cisco.com/warp/public/707/
sec_incident_response.shtml. This includes instructions for press
inquiries regarding Cisco security notices. All Cisco security
advisories are available at http://www.cisco.com/go/psirt.

- -----------------------------------------------------------------------
All contents are Copyright © 1992-2004 Cisco Systems, Inc. All rights
reserved.
- -----------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SunOS)

iD8DBQE//Xl+ezGozzK2tZARAmleAKCneNVTjIHfjFWzZBYqvfzrxeGE7gCg8LQ1
+TkFpeWYuojAlNjleXBitoQ=
=1ccb
-----END PGP SIGNATURE-----