Title: Cisco Application Velocity System (AVS) Remote Default Account Vulnerabilities
Severity: CRITICAL
Description:
Cisco Application Velocity System (AVS) is an appliance-based package designed to increase the performance and security of HTML- and XML-based applications.
Cisco AVS is prone to multiple default-account vulnerabilities. These issues stem from a design flaw that makes several accounts available to remote attackers.
The following default credentials exist:
'root'
Management Console user and password
Database user and password
Node Manager password
Condenser password
'fgn' user
During the installation process, no prompt or procedure leads users to alter any of the default usernames or passwords.
Successful exploits allow remote attackers to gain administrative access to vulnerable appliances.
Versions prior to Cisco AVS 5.1.0 are vulnerable.
Cisco is tracking these issues as Cisco Bug ID CSCsd94732.
Affected Products:
- Cisco Application Velocity System (AVS)
- Cisco Application Velocity System (AVS) 3180
- Cisco Application Velocity System (AVS) 3180A
- Cisco Application Velocity System 3110 4.0
- Cisco Application Velocity System 3110 5.0
- Cisco Application Velocity System 3110 5.0.1
- Cisco Application Velocity System 3120 5.0.0
- Cisco Application Velocity System 3120 5.0.1
- Cisco Application Velocity System AVS 3100
References:
- Cisco: Cisco Application Velocity System (AVS) Product Page
- Cisco: Cisco Security Advisory: Default Passwords in the Application Velocity System
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
