[cisco-voip] Have you seen this article?

Wed Jun 28 10:55:02 EDT 2006

CCM 4.3 isn't supposed to come out until end of the year...

It is supposed to be on Windows 2003...

I just checked Cisco's site, I saw no mention of it yet...

Jonathan

On 6/28/06, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>
>
> There's a CallManager 4.3(1)? WAH?????????????????????
>
> --------------------------------------------------------------------------------
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> "I can eat fifty eggs." "Nobody can eat fifty eggs."
>
> ----- Original Message -----
> From: Ryan Ratliff
> To: Leetun, Rob
> Cc: ciscovoip
>
> Sent: Wednesday, June 28, 2006 9:36 AM
> Subject: Re: [cisco-voip] Have you seen this article?
>
> http://www.cisco.com/en/US/products/sw/voicesw/ps556/
> tsd_products_security_response09186a00806c0846.html
>
> -Ryan
>
> On Jun 28, 2006, at 9:17 AM, Leetun, Rob wrote:
>
>   Cisco Call Manager Flaw Could Invite Hackers
>
> Vulnerabilities in Cisco's Call Manager software could open the door
> for hackers to reconfigure VoIP settings and gain access to
> individual users' account information, according to researchers at
> Kansas City, Mo.-based solution provider FishNet Security.
>
> By Kevin McLaughlin, CRN
> Jun 19, 2006
> URL:http://www.ddj.com/dept/security/189500728
>
> Vulnerabilities in Cisco's Call Manager software could open the door
> for hackers to reconfigure VoIP settings and gain access to
> individual users' account information, according to researchers at
> Kansas City, Mo.-based solution provider FishNet Security.
>
> In a report issued Monday, Jake Reynolds, senior security engineer at
> FishNet, said the vulnerability affects versions 3.1 and higher of
> Call Manager, which handles call routing and call signaling functions
> in Cisco VoIP systems. A lack of input validation and output encoding
> in the Web administration interface for Call Manager could allow
> hackers to execute cross-site scripting attacks, Reynolds wrote.
>
> Cross site scripting attacks usually involve tricking users with
> access privileges into clicking on a URL in an email or Web page.
>
> In the Call Manager scenario, attackers would send a request to the
> Call Manager Web interface that causes malicious JavaScript to be
> included. If the administrator could be tricked into submitting this
> tainted request, the malicious code would execute in the victim's Web
> browser and potentially give attackers the ability to delete or
> reconfigure system components and gain access to confidential user
> information, according to the report.
>
> In a statement, Cisco's Product Security Incident Response Team
> (PSRIT) recommended that users verify link destinations before
> clicking on URLs.
>
> Although there are no workarounds for the issue, Cisco has fixed the
> vulnerability and fixes will be incorporated in all supported
> CallManager trains in versions 4.3(1), 4.2(3), 4.1(3)SR4 and 3.3(5)
> SR3, according to the statement.
>
> To guard against attacks, FishNet recommends that companies limit
> network connectivity to Call Manager wherever possible to prevent
> hackers from discovering public Web interfaces.
>
> "Simple Google queries are all an attacker needs in this case to
> obtain the target Call Manager address. There are few compelling
> reasons one could present that would justify public access to Call
> Manager web interfaces," according to the report.
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>