Cisco Unity Default Account Passwords Let Remote Users Gain Administrative Access

---

Version(s): 2.x, 3.x, and 4.x; when integrated with Microsoft Exchange

Description: A vulnerability was reported in Cisco Unity when used in conjunction with Microsoft Exchange. A remote user can access an administrative account using a common default password.

The vendor reported that several default username/password combinations exist when the system is configured to work with Microsoft Exchange. A remote user can access these accounts to read incoming and outgoing messages and to perform administrative functions on the target Unity system.

The affected accounts are:

# EAdmin<systemid>
# UNITY_<servername>
# UAMIS_<servername>
# UOMNI_<servername>
# UVPIM_<servername>
# ESubsubscriber

Impact: A remote user can access an administrative account.

Solution: Cisco plans to issue a fixed version (4.0(5)) in the first quarter of the calendar year 2005. This fixed version will only correct the flaw for new installations of that fixed version (or later versions).

Cisco recommends that you change the passwords on all accounts created by Cisco Unity and that you use strong passwords. Information on how to change account passwords is available at:

http://www.cisco.com/en/US/customer/...80093f54.shtml