CVE-2010-4304

Name of the Vulnerable Software and Affected Versions Cisco Unified Videoconferencing System versions (affected versions not specified) Cisco Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway (affected versions not specified) Cisco Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway (affected versions not specified) Cisco Unified Videoconferencing 3515 Multipoint Control Unit (MCU) (affected versions not specified)

Description The issue concerns the web interface of various Cisco Unified Videoconferencing products, which generates predictable session IDs based on time values. This predictability makes it easier for remote attackers to hijack sessions via a brute-force attack.

Recommendations For Cisco Unified Videoconferencing System, consider implementing additional security measures to protect against session hijacking until a fix is available. For Cisco Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway, restrict access to the web interface to minimize the risk of exploitation. For Cisco Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway, avoid using the web interface for sensitive operations until the issue is resolved. For Cisco Unified Videoconferencing 3515 Multipoint Control Unit (MCU), consider disabling the web interface as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.