ISS X-Force Database: cisco-unity-exchange-default-accounts(18489): Cisco Unity integrated with Microsoft Exchange has default user accounts

Cisco Unity integrated with Microsoft Exchange has default user accounts

cisco-unity-exchange-default-accounts (18489)

High Risk

Description:

Cisco Unity, when integrated with Microsoft Exchange have the following default user accounts:

EAdmin
UNITY_
UAMIS_
UOMNI_
UVPIM_
Esubsubscriber

An unauthorized user could could obtain sensitive information from incoming and outgoing messages and perform administrative actions via the Cisco Unity Administrator.

Platforms Affected:

Cisco, Unity Server 2.0
Cisco, Unity Server 2.1
Cisco, Unity Server 2.2
Cisco, Unity Server 2.3
Cisco, Unity Server 2.4
Cisco, Unity Server 2.46
Cisco, Unity Server 3.0
Cisco, Unity Server 3.1
Cisco, Unity Server 3.2
Cisco, Unity Server 3.3
Cisco, Unity Server 4.0

Remedy:

Upgrade to the latest version of Cisco Unity (4.0(5) or later), when it becomes available, as listed in Cisco Security Advisory 2004 December 15 1600 UTC (GMT). See References.

Consequences:

Gain Privileges

References:

CIAC Information Bulletin P-060, Cisco Unity with Exchange Default Passwords Vulnerability at http://www.ciac.org/ciac/bulletins/p-060.shtml.
Cisco Security Advisory 2004 December 15 1600 UTC (GMT), Cisco Unity with Exchange Has Default Passwords at http://www.cisco.com/en/US/products/products_security_advisory09186a008037cd59.shtml.
BID-11954: Cisco Unity With Exchange Default User Accounts and Passwords Vulnerability
CVE-2004-1322: Cisco Unity 2.x, 3.x, and 4.x, when integrated with Microsoft Exchange, has several hard coded usernames and passwords, which allows remote attackers to gain unauthorized access and change configuration settings or read outgoing or incoming e-mail messages.

Reported:

Dec 15, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page