Vulnerability Note VU#602734
Cisco default install of IBM Director agent fails to authenticate users for remote administration
Cisco IBM Director agent fails to authenticate users for remote administration.
Cisco voice products (e.g. CallManager, IP Interactive Voice Response, IP Call Center Express) that run on IBM servers install IBM Director agent to provide administrative management. The default installation of the IBM Director agent does not require authentication for performing remote administration.
A remote attacker could perform administrative functions without authenticating.
Quoting the Cisco Advisory:
Apply Cisco Repair Script
Note: The URL above requires a valid Cisco Connection Online (CCO) user account.
2. The repair script secures the Director agent such that even if port 14247 is reenabled, the Director agent still would not accept connections from any Director Server.
3. The Director Agent executable files which are not necessary to the functioning of the program, yet provide high levels of access or control, are completely disabled by this repair script.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Cisco Systems Inc.||Affected||-||22 Jan 2004|
CVSS Metrics (Learn More)
This was reported by the Cisco Systems Product Security Incident Response Team (PSIRT).
This document was written by Damon Morda.
- CVE IDs: Unknown
- Date Public: 21 Jan 2004
- Date First Published: 22 Jan 2004
- Date Last Updated: 23 Jan 2004
- Severity Metric: 14.93
- Document Revision: 21
If you have feedback, comments, or additional information about this vulnerability, please send us email.