[cisco-voip] [c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service and Authentication Bypass Vulnerabilities

Ed Leatherman ealeatherman at gmail.com
Wed Jun 25 14:21:36 EDT 2008 

Hi folks

Was planning to apply a SR to call manager 5.1.3 this weekend anyway so may
as well patch this too... but I can't find a 5.1.3c version on cco. Latest
is 5.1.3b, 5.1.3.3000-5. Any ideas?

Ed

On Wed, Jun 25, 2008 at 12:00 PM, Cisco Systems Product Security Incident
Response Team <psirt at cisco.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Cisco Security Advisory: Cisco Unified Communications Manager Denial
>                         of Service and Authentication Bypass
>                         Vulnerabilities
>
> Advisory ID: cisco-sa-20080625-cucm
>
> Revision 1.0
>
> For Public Release 2008 June 25 1600 UTC (GMT)
>
> +---------------------------------------------------------------------
>
> Summary
> =======
>
> Cisco Unified Communications Manager (CUCM), formerly Cisco
> CallManager, contains a denial of service (DoS) vulnerability in the
> Computer Telephony Integration (CTI) Manager service that may cause
> an interruption in voice services and an authentication bypass
> vulnerability in the Real-Time Information Server (RIS) Data
> Collector that may expose information that is useful for
> reconnaissance.
>
> Cisco has released free software updates that address these
> vulnerabilities. There are no workarounds for these vulnerabilities.
>
> This advisory is posted at
> http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml.
>
> Affected Products
> =================
>
> Vulnerable Products
> +------------------
>
> The following products are vulnerable:
>
>  * Cisco Unified CallManager 4.1 versions
>  * Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4
>  * Cisco Unified Communications Manager 4.3 versions prior to 4.3(2)SR1
>  * Cisco Unified Communications Manager 5.x versions prior to 5.1(3c)
>  * Cisco Unified Communications Manager 6.x versions prior to 6.1(2)
>
> Administrators of systems running Cisco Unified Communications
> Manager (CUCM) version 4.x can determine the software version by
> navigating to Help > About Cisco Unified CallManager and selecting
> the Details button via the CUCM administration interface.
>
> Administrators of systems that are running CUCM versions 5.x and 6.x
> can determine the software version by viewing the main page of the
> CUCM administration interface. The software version can also be
> determined by running the command show version active via the command
> line interface (CLI).
>
> Products Confirmed Not Vulnerable
> +--------------------------------
>
> Cisco Unified Communications Manager Express is not affected by these
> vulnerabilities. No other Cisco products are currently known to be
> affected by these vulnerabilities.
>
> Details
> =======
>
> Cisco Unified Communications Manager (CUCM) is the call processing
> component of the Cisco IP Telephony solution that extends enterprise
> telephony features and functions to packet telephony network devices,
> such as IP phones, media processing devices, VoIP gateways, and
> multimedia applications.
>
> Computer Telephony Integration Manager Related Vulnerability
>
> The Computer Telephony Integration (CTI) Manager service of CUCM
> versions 5.x and 6.x contains a vulnerability when handling malformed
> input that may result in a DoS condition. The CTI Manager service
> listens by default on TCP port 2748 and is not user-configurable.
> There is no workaround for this vulnerability. This vulnerability is
> fixed in CUCM versions 5.1(3c) and 6.1(2). This vulnerability is
> documented in Cisco Bug ID CSCso75027 and has been assigned Common
> Vulnerabilities and Exposures (CVE) identifier CVE-2008-2061.
>
> Real-Time Information Server Data Collector Related Vulnerability
>
> The Real-Time Information Server (RIS) Data Collector service of CUCM
> versions 4.x, 5.x, and 6.x contains an authentication bypass
> vulnerability that may result in the unauthorized disclosure of
> certain CUCM cluster information. In normal operation, Real-Time
> Monitoring Tool (RTMT) clients gather CUCM cluster statistics by
> authenticating to a Simple Object Access Protocol (SOAP) based web
> interface. The SOAP interface proxies authenticated connections to
> the RIS Data Collector process. The RIS Data Collector service
> listens on TCP port 2556 by default and is user configurable. By
> connecting directly to the port that the RIS Data Collector process
> listens on, it may be possible to bypass authentication checks and
> gain read-only access to information about a CUCM cluster. The
> information available includes performance statistics, user names,
> and configured IP phones. This information may be used to mount
> further attacks. No passwords or other sensitive CUCM configuration
> may be obtained via this vulnerability. No CUCM configuration changes
> can be made.
>
> There is no workaround for this vulnerability. This vulnerability is
> fixed in CUCM versions 4.2(3)SR4, 4.3(2)SR1, 5.1(3), and 6.1(1). For
> CUCM 4.x versions, this vulnerability is documented in Cisco Bug ID
> CSCsq35151 and has been assigned CVE identifier CVE-2008-2062. For
> CUCM 5.x and 6.x versions, this vulnerability is documented in Cisco
> Bug ID CSCsj90843 and has been assigned CVE identifier CVE-2008-2730.
>
> Vulnerability Scoring Details
> =============================
>
> Cisco has provided scores for the vulnerabilities in this advisory
> based on the Common Vulnerability Scoring System (CVSS). The CVSS
> scoring in this Security Advisory is done in accordance with CVSS
> version 2.0.
>
> CVSS is a standards-based scoring method that conveys vulnerability
> severity and helps determine urgency and priority of response.
>
> Cisco has provided a base and temporal score. Customers can then
> compute environmental scores to assist in determining the impact of
> the vulnerability in individual networks.
>
> Cisco has provided an FAQ to answer additional questions regarding
> CVSS at:
>
> http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
>
> Cisco has also provided a CVSS calculator to help compute the
> environmental impact for individual networks at:
>
> http://intellishield.cisco.com/security/alertmanager/cvss
>
>
> CSCso75027 - CTI Manager TSP Crash
>
> CVSS Base Score - 7.8
>    Access Vector - Network
>    Access Complexity - Low
>    Authentication - None
>    Confidentiality Impact - None
>    Integrity Impact - None
>    Availability Impact - Complete
>
> CVSS Temporal Score - 6.4
>    Exploitability - Functional
>    Remediation Level - Official Fix
>    Report Confidence - Confirmed
>
> CSCsq35151 - RISDC Authentication Bypass
>
> CVSS Base Score - 5
>    Access Vector - Network
>    Access Complexity - Low
>    Authentication - None
>    Confidentiality Impact - Partial
>    Integrity Impact - None
>    Availability Impact - None
>
> CVSS Temporal Score - 4.1
>    Exploitability - Functional
>    Remediation Level - Official Fix
>    Report Confidence - Confirmed
>
> CSCsj90843 - RISDC Authentication Bypass
>
> CVSS Base Score - 5
>    Access Vector - Network
>    Access Complexity - Low
>    Authentication - None
>    Confidentiality Impact - Partial
>    Integrity Impact - None
>    Availability Impact - None
>
> CVSS Temporal Score - 4.1
>    Exploitability - Functional
>    Remediation Level - Official Fix
>    Report Confidence - Confirmed
>
> Impact
> ======
>
> Successful exploitation of the vulnerabilities in this advisory may
> result in the interruption of voice services or disclosure of
> information useful for reconnaissance.
>
> Software Versions and Fixes
> ===========================
>
> When considering software upgrades, also consult
> http://www.cisco.com/go/psirt
> and any subsequent advisories to determine exposure and a
> complete upgrade solution.
>
> In all cases, customers should exercise caution to be certain the
> devices to be upgraded contain sufficient memory and that current
> hardware and software configurations will continue to be supported
> properly by the new release. If the information is not clear, contact
> the Cisco Technical Assistance Center (TAC) or your contracted
> maintenance provider for assistance.
>
> Cisco Unified Communications Manager (CUCM) version 4.2(3)SR4
> contains fixes for all vulnerabilities affecting CUCM version 4.2
> listed in this advisory. Cisco Unified CallManager 4.1 version
> administrators are encouraged to upgrade to CUCM version 4.2(3)SR4 in
> order to obtain fixed software. Version 4.2(3)SR4 can be downloaded
> at the following link:
>
>
> http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280264388&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20CallManager%20Version%204.2&isPlatform=N&treeMdfId=278875240&modifmdid=null&imname=null&hybrid=Y&imst=N
>
> CUCM version 4.3(2)SR1 contains fixes for all vulnerabilities
> affecting CUCM version 4.3 listed in this advisory and is scheduled
> to be released in mid-July, 2008. Version 4.3(2)SR1 will be available
> for download at the following link:
>
>
> http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280771554&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%204.3&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N
>
> CUCM version 5.1(3c) contains fixes for all vulnerabilities affecting
> CUCM version 5.x listed in this advisory. Version 5.1(3c) can
> downloaded at the following link:
>
>
> http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=null&isPlatform=Y&mdfid=280735907&sftType=Unified%20Communications%20Manager%20Updates&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20Communications%20Manager%20Version%205.1&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N
>
> CUCM version 6.1(2) contains fixes for all vulnerabilities affecting
> CUCM version 6.x listed in this advisory. Version 6.1(2) can be
> downloaded at the following link:
>
>
> http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=281023410&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%206.1&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Ed Leatherman
Senior Voice Engineer
West Virginia University
Telecommunications and Network Operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20080625/6f971fbf/attachment-0001.html>

More information about the cisco-voip mailing list