CVE-2014-0675 - The Expressway component in Cisco TelePresence Video Communication Server (VCS) uses the same defaul

CVE-2014-0675

Summary

The Expressway component in Cisco TelePresence Video Communication Server (VCS) uses the same default X.509 certificate across different customers' installations, which makes it easier for remote attackers to conduct man-in-the-middle attacks against SSL sessions by leveraging the certificate's trust relationship, aka Bug ID CSCue07471.

References

Vulnerable Configurations

cpe:2.3:h:cisco:telepresence_video_communication_server:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:telepresence_video_communication_server:-:*:*:*:*:*:*:*

CVSS

Base:	6.4 (as of 29-08-2017 - 01:34)
Impact:
Exploitability:

CWE

CWE-255

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:N

refmap via4

bid	65101
cisco	20140122 Cisco TelePresence Video Communication Server Expressway Default SSL Certificate Vulnerability
confirm	http://tools.cisco.com/security/center/viewAlert.x?alertId=32540
osvdb	102377
sectrack	1029682
secunia	56621
xf	cisco-telepresence-cve20140675-mitm(90650)

Last major update

29-08-2017 - 01:34

Published

23-01-2014 - 04:41

Last modified

29-08-2017 - 01:34