--Navastream VIP Offers Certificate Based Authentication Features to Disable Polycom Security Exploit--
San Francisco California, Frankfurt Germany, New York - September 13, 2002 - Vulnerabilities discovered in the Polycom ViewStation videoconferencing products, which allow unauthorized individuals to gather information about the device, retrieve files, crash the device, or monitor videoconferences can be counteracted with Navastream's VIP product line. Navastream's gateway and standalone videoconference security products employ IPsec and certificate based encryption and authentication, which can be used to deny transmission requests to and connection requests from unauthorized users.
Description of Vulnerability:
The Polycom ViewStation's operating system (OS) includes Web, Telnet, and FTP capabilities specifically for remote management. The default password protecting access to the remote management controls of the ViewStation is empty or null. Consequently, unauthorized users can use these controls to configure the videoconference unit and establish videoconference sessions.
The ViewStation's Web portion is vulnerable to multiple attacks. By writing requests in Unicode, attackers can directly access vulnerable information in directories on the videoconference system without password authentication. Attackers can use this technique to retrieve the administrator password, take control of the device, modify the configuration and record or monitor videoconferences.
The Polycom ViewStation is also vulnerable to denial of service (DoS) attacks. The Telnet service allows an unlimited number of login attempts, exposing it to a brute force attack. The system may also become unstable and crash from too many requests. Attackers can also cause the ViewStation to crash by sending long or malformed ICMP packets.
Ongoing Security Issues:
Eric Goldberg, GM of Navastream states, "Although Polycom will address these problems in future software releases, it is clear that videoconferencing users need to supplement basic password protection with a stronger level of security. Videoconferencing at its best enables improved communication, faster project turn-around and quick ROI; at its worst, it can turn your workplace into your competitors' video surveillance system."
Another major security issue with many videoconferencing systems is that the password protecting the remote management features is passed in the clear-from the remote management console across the Internet to the videoconference system-without the use of a secure protocol like ssl or https. Any potential attacker monitoring the connection with a network sniffer will be able to retrieve the password to gain access to remote management controls. With many of the newer videoconference systems able to stream video over the Internet, the attacker can forward unencrypted videoconferences to any number of anonymous destinations across the Internet.
Recommendations:
Navastream recommends protecting videoconferencing systems with a gateway product that can provide packet filtering, encryption and certificate based authentication. The Navastream VIP product family protects affected Polycom ViewStation systems from remote management security exploits by employing filter tables that can authenticate remote management access by addressing and digital certificates.
Upon initial configuration of the Navastream VIPs, the administrator can create a filter rule to limit access to the videoconference system by port, protocol and remote IP address. If a request is made from an unauthorized location or via an unauthorized protocol or port, the VIP will drop the session before it is engaged, thereby eliminating the possibility of unauthorized remote access to the videoconference system or transmissions to unauthorized locations. To counteract denial of service (DoS) attacks, the VIPs can be configured to only accept connections from trusted addresses.
The Navastream VIP can also authenticate remote management and videoconference sessions to protected videoconference systems by digital certificates. Security conscious administrators can manage their remote videoconference systems protected by Navastream VIPs from behind another VIP or through a PC protected with a Navastream Secure SoftClient. When remote management is handled in this straight-forward way, the administrator management session and password can be encrypted and authenticated between his PC or local VIP and the remote VIP via 128-bit DES3 encryption authenticated by digital certificates.
In summary, it is important to keep informed of security exploits and download security patches from the manufacturers of videoconferencing equipment as they become available. However, without a dedicated security system to protect videoconference systems, their transmissions and remote management sessions, organizations are sending the passwords that protect access to their systems in the clear with hopes that they are not targeted by the next attack.
About Navastream:
Navastream, a global leader in secure communications solutions, specializes in securing access for in-demand real-time applications like videoconferencing, voice, email, wireless and remote access solutions. Navastream designs, manufactures, markets and supports a wide range of products for the network and telecommunications security industry.
Navastream's Managed Security Services (MSS) combines hardware, software and secure remote management products with Navastream certified professional services and security consultation services. This unique combination allows Navastream to offer security solutions tailored to the needs of their customers on a global scale.
Navastream works with numerous government customers and corporations in many different industries including aerospace and defense, automotive, pharmaceuticals, financial services, consumer products, manufacturing and oil and gas.
Providing products and services for 50% of the Top 10 Fortune 500 Companies, Navastream is the recognized global leader of secure communications solutions.
