Version(s): 2.x, 3.x, and 4.x; when integrated with Microsoft Exchange
Description: A vulnerability was reported in Cisco Unity when used in conjunction with Microsoft Exchange. A remote user can access an administrative account using a common default password.
The vendor reported that several default username/password combinations exist when the system is configured to work with Microsoft Exchange. A remote user can access these accounts to read incoming and outgoing messages and to perform administrative functions on the target Unity system.
The affected accounts are:
# EAdmin<systemid>
# UNITY_<servername>
# UAMIS_<servername>
# UOMNI_<servername>
# UVPIM_<servername>
# ESubsubscriber
Impact: A remote user can access an administrative account.
Solution: Cisco plans to issue a fixed version (4.0(5)) in the first quarter of the calendar year 2005. This fixed version will only correct the flaw for new installations of that fixed version (or later versions).
Cisco recommends that you change the passwords on all accounts created by Cisco Unity and that you use strong passwords. Information on how to change account passwords is available at:
http://www.cisco.com/en/US/customer/...80093f54.shtml
