Cisco Personal Assistant allows access to the configuration file

ciscopersonalassistant-config-file-access (14172) The risk level is classified as MediumMedium Risk

Description:

Cisco Personal Assistant could allow a remote attacker to obtain sensitive information. If the "Allow Only Cisco CallManager Users" option has been enabled and the Personal Assistant Corporate Directory settings are configured to use the same directory as Cisco CallManager, the password authentication to Cisco Personal Assistant is disabled. A remote attacker could then enter a valid user ID with any password to gain access to the user configuration file, which would allow the attacker to read, modify, and overwrite the configuration file.

Note: The "Allow Only Cisco CallManager Users" option is not checked by default.


Consequences:

Obtain Information

Remedy:

No remedy available as of September 1, 2014.

References:

  • Cisco Systems Inc. Security Advisory, 2004 January 8 17:00 UTC (GMT): Cisco Personal Assistant User Password Bypass Vulnerability.
  • BID-9384: Cisco Personal Assistant Web Interface User Password Bypass Vulnerability
  • CVE-2004-0044: Cisco Personal Assistant 1.4(1) and 1.4(2) disables password authentication when Allow Only Cisco CallManager Users is enabled and the Corporate Directory settings refer to the directory service being used by Cisco CallManager, which allows remote attackers to gain access with a valid username.
  • OSVDB ID: 3430: Cisco Personal Assistant Password Authentication Bypass

Platforms Affected:

  • Cisco Personal Assistant 1.4(1)
  • Cisco Personal Assistant 1.4(2)

Reported:

Jan 08, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page