AUSCERT External Security Bulletin Redistribution

                 ESB-2004.0023 -- Cisco Security Advisory
        Cisco Personal Assistant User Password Bypass Vulnerability
                              09 January 2004


        AusCERT Security Bulletin Summary

Product:                Cisco Personal Assistant versions 1.4(1) and 1.4(2)
Publisher:              Cisco Systems
Operating System:       Windows 2000
Impact:                 Increased Privileges
                        Reduced Security
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

Cisco Security Advisory: Cisco Personal Assistant User Password Bypass

Document ID: 47765

Revision 1.0 FINAL

For Public Release 2004 January 8 17:00 UTC (GMT)

- - -----------------------------------------------------------------------


    Affected Products
    Software Versions and Fixes
    Obtaining Fixed Software
    Exploitation and Public Announcements
    Status of This Notice: FINAL
    Revision History
    Cisco Security Procedures

- - -----------------------------------------------------------------------


Cisco Personal Assistant may permit unauthorized access to user
configuration via the web interface. Once access is granted, user
preferences and configuration can be manipulated.

There is a workaround available and a software upgrade is not required
to remove the vulnerability.

This issue is documented in Cisco Bug ID CSCec87825.

This advisory is available at 


Affected Products

Cisco Personal Assistant versions 1.4(1) and 1.4(2) only are affected.
Cisco Personal Assistant versions 1.3(x) and prior are not affected.

No other Cisco products are affected by this vulnerability.

To verify the version of Personal Assistant you are running, perform
the following steps.

 1. Log in to Personal Assistant through the web interface.
 2. Browse to Help -> About Cisco Personal Assistant.
 3. Click the Details button and a window appears with the full version

Cisco Personal Assistant is a Microsoft Windows 2000 based application
and is part of the AVVID solution. For more information on Personal
Assistant, see:


This vulnerability is only present if both of the following conditions
are met:

  * The Personal Assistant administrator has checked the "Allow Only
    Cisco CallManager Users" box through System -> Miscellaneous
  * The Personal Assistant Corporate Directory settings refer to the
    same directory service that is used by Cisco CallManager.
If both of the above criteria are met, then password authentication to
Personal Assistant user configuration is disabled. This allows anyone
to enter a valid User ID with any password and the user will be
authorized to make configuration changes to that account.

The default setting for Personal Assistant is that the "Allow Only
Cisco CallManager Users" box is unchecked.

Users access Personal Assistant by browsing to the address 


where x.x.x.x is the IP address or hostname of the Personal Assistant

This vulnerability does not affect access to Personal Assistant through
the telephony interface. Users access the telephony interface by
dialing the Personal Assistant extension. Personal Assistant uses the
user's CallManager Extension Mobility PIN or the Unity Subscriber Phone
Password to authenticate users through the telephony interface.

This vulnerability is documented as Cisco bug ID CSCec87825


This bug permits unauthorized configuration access to users' Personal
Assistant settings. This vulnerability does not affect the system
configuration of the Personal Assistant application.

An attacker can modify the settings of a user, which can include
modifying call routing to redirect calls for purposes of impersonation,
or forwarding the user's number to a toll number, incurring charges.

Software Versions and Fixes

All vulnerabilities listed in this advisory can be removed through
configuration of the Personal Assistant server. No software update is

Obtaining Fixed Software

As the fix for this vulnerability is a configuration change, a software
upgrade is not required to address this vulnerability.

If you need assistance with the implementation of the fix, or have
questions regarding the fix, please contact the Cisco Technical
Assistance Center (TAC).

Cisco TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.

Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.


This vulnerability can be removed by de-selecting the checkbox "Allow
Only Cisco CallManager Users" on the System -> Miscellaneous Settings
page of the Personal Assistant Administration site.

This workaround will have no effect on the behavior of the Personal
Assistant as CallManager and Personal Assistant must be configured to
use the same directory for this vulnerability to be present.
Configuring "Allow Only CallManager Users" while having Personal
Assistant and CallManager using the same directory is technically

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

Status of This Notice: FINAL

This is a final notice. Although Cisco cannot guarantee the accuracy of
all statements in this notice, all of the facts have been checked to
the best of our ability. Cisco does not anticipate issuing updated
versions of this advisory unless there is some material change in the
facts. Should there be a significant change in the facts, Cisco will
update this advisory.


This advisory will be posted on Cisco's worldwide website at 


In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce@cisco.com
  * bugtraq@securityfocus.com
  * first-teams@first.org (includes CERT/CC)
  * cisco@spot.colorado.edu
  * comp.dcom.sys.cisco
  * firewalls@lists.gnac.com
  * Various internal Cisco mailing lists
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History

| Revision |                  | Initial  |
| 1.0      | 08-Jannuary-2004 | Public   |
|          |                  | Release  |

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at http://www.cisco.com/warp/public/707/
sec_incident_response.shtml. This includes instructions for press
inquiries regarding Cisco security notices. All Cisco security
advisories are available at http://www.cisco.com/go/psirt.

- - -----------------------------------------------------------------------
All contents are Copyright © 1992-2004 Cisco Systems, Inc. All rights
- - -----------------------------------------------------------------------

Version: GnuPG v1.2.3 (SunOS)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967