Holes Found in Cisco, Veritas, Samba Products
Security sources announce four mostly unrelated enterprise vulnerabilities in Cisco Unity, Cisco Guard, Veritas' Backup Exec, and Samba, the Windows file-sharing utility for Linux.Thursday was a big day for vulnerability announcements, but not necessarily for big vulnerabilities. Cisco on Thursday announced two problems with its products, one of which had the potential to be serious. A potentially serious problem with Samba appeared on Bugtraq, and Veritas reported a problem with Backup Exec versions 8 and 9. None of the problems should cause trouble for companies with good security practices. Perhaps the most serious vulnerability to be announced Thursday affects Cisco Unity versions 2, 3 and 4. Ciscos converged communications product reportedly creates several user accounts with default passwords. If your network manager doesnt change the default passwords after installing Unity, outside users could log in to your network with administrator-level functions. The solution is to change the passwords on those accounts to something besides the default setting. According to Ciscos announcement, normal practice when software is installed is to ask the administrator for a password for each account rather than just creating a default. Details on this vulnerability can be found on Ciscos Web site.
Cisco announced that the same problem appears in Cisco Guard, the companys denial-of-service mitigation appliance, prior to version 3.1. As is the case with Unity, this product comes with a default password that needs to be changed. In this case, its the root password for the device itself.