[cisco-voip] FW: Cisco Security Response: Cisco CallManager Input ValidationVulnerability

Ryan Ratliff rratliff at cisco.com
Wed May 23 12:30:09 EDT 2007


Base ES for SR5 is ES106.  This means anything lower than 106 can  
have SR5 installed over it.

-Ryan

On May 23, 2007, at 12:27 PM, Justin Steinberg wrote:

I saw ccm 4.1.3sr5, 4.2.3sr2a, and 5.1.2 posted on CCO today.

-Justin

On 5/23/07, Voll, Scott <Scott.Voll at wesd.org> wrote:
> Hey--
>
> Ryan, Wes, or Mike....... do you have a time line on CM 4.1.3sr5?  and
> can I upgrade from ES100 to SR5?
>
> Thanks
>
> Scott
>
> -----Original Message-----
> From: cust-security-announce-bounces at cisco.com
> [mailto:cust-security-announce-bounces at cisco.com] On Behalf Of Cisco
> Systems Product Security Incident Response Team
> Sent: Wednesday, May 23, 2007 8:47 AM
> To: cust-security-announce at cisco.com
> Subject: Cisco Security Response: Cisco CallManager Input
> ValidationVulnerability
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Cisco Security Response: Cisco CallManager Input Validation
> Vulnerability
>
> http://www.cisco.com/warp/public/707/cisco-sr-20070523-ccm.shtml
>
> Revision 1.0
>
> For Public Release 2007 May 23 1600 UTC (GMT)
>
> -
> ---------------------------------------------------------------------- 
> -
>
> Cisco Response
> ==============
>
> This is Cisco PSIRT's response to the statements made by Marc Ruef and
> Stefan Friedi from scip AG in their message "Cisco CallManager 4.1  
> Input
> Validation Vulnerability," posted on 2007 May 23 at 1600 UTC (GMT).
>
> The original emails were posted to BugTraq and Full-Disclosure.
>
> In their postings, Marc Ruef and Stefan Friedi illustrate how to  
> bypass
> the web application firewall used in Cisco CallManager. This means of
> bypass can be used to display graphics, scripts, or other information
> downloaded from an external web site. This technique may also be  
> used to
> conduct cross-site scripting attacks. Cisco confirms that the example
> the authors Ruef and Friedi provided bypasses the web application
> firewall and that there may be other methods for bypassing the web
> application firewall.
>
> Cisco has made improvements to the input validation mechanisms in
> CallManager that may mitigate the risks associated with this security
> vulnerability. These improvements have been incorporated into 4.2(3) 
> sr2.
> Future releases, 3.3(5)sr3, 4.1(3)sr5 and 4.3(1)sr1, will also include
> the improvements made to address this bug. This issue is being tracked
> by the following Cisco Bug ID:
>
>   * CSCsi12374 - Improvements in User Input Validation
>
> Service releases of CallManager software are available at the  
> following
> link:
>
> http://www.cisco.com/public/sw-center/sw-voice.shtml
>
> Additional Information
> ======================
>
> Cisco CallManager is the software-based call-processing component  
> of the
> Cisco IP telephony solution that extends enterprise telephony features
> and functions to packet telephony network devices, such as IP phones,
> media processing devices, voice-over-IP (VoIP) gateways, and  
> multimedia
> applications. The vulnerability described in this response exists in
> the web application firewall used in CallManager. This feature is
> designed to prevent users from entering malicious code into the input
> fields used in CallManager forms. The vulnerability exists because the
> web application firewall fails to properly sanitize some potentially
> malicious tags.
>
> To exploit these issues an attacker must convince an authenticated
> user to follow a specially crafted, malicious URL. A successful attack
> may result in the execution of arbitrary script code in the user's web
> browser.
>
> For additional information on cross-site scripting (XSS) attacks  
> and the
> methods used to exploit such vulnerabilities, please refer to the  
> Cisco
> Applied Intelligence Response "Understanding Cross-Site Scripting  
> (XSS)
> Threat Vectors," which is available at the following link:
>
> http://www.cisco.com/en/US/products/ps6120/ 
> tsd_products_security_respons
> e09186a008073f7b3.html
>
> The Cisco PSIRT is not aware of any malicious use of the vulnerability
> described in this document.
>
> This issue was reported to Cisco by Marc Ruef and Stefan Friedi from
> scip AG. We would like to thank Marc Ruef and Stefan Friedi for  
> bringing
> this issue to our attention and for working with us toward coordinated
> disclosure of the issue. We greatly appreciate the opportunity to
> work with researchers on security vulnerabilities, and welcome the
> opportunity to review and assist in product reports.
>
> THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
> ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
> INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
> AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
> DOCUMENT AT ANY TIME.
>
> Revision History
> ================
>
> +-------------------------------------------------------------+
> | Revision 1.0   | 2007-May-23   | Initial public release.    |
> +-------------------------------------------------------------+
>
> Cisco Security Procedures
> =========================
>
> Complete information on reporting security vulnerabilities in Cisco
> products, obtaining assistance with security incidents, and  
> registering
> to receive security information from Cisco, is available on Cisco's
> worldwide website at
> http://www.cisco.com/en/US/products/ 
> products_security_vulnerability_poli
> cy.html.
> This includes instructions for press inquiries regarding Cisco  
> security
> notices. All Cisco security advisories are available at
> http://www.cisco.com/go/psirt.
>
> -
> ---------------------------------------------------------------------- 
> -
> All contents are Copyright (C) 2006-2007 Cisco Systems, Inc. All  
> rights
> reserved.
> -
> ---------------------------------------------------------------------- 
> -
>
> Updated: May 23, 2007                                Document ID:  
> 82462
>
> -
> ---------------------------------------------------------------------- 
> -
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGVGFn8NUAbBmDaxQRAtqYAJ0QYVxfjNxM+fNHZ//KYPOdfmsxaQCfZZRC
> zWQKjcIn7Qw9+OpSHfB7MMc=
> =mA2X
> -----END PGP SIGNATURE-----
> _______________________________________________
> cust-security-announce mailing list
> cust-security-announce at cisco.com
> To unsubscribe, send the command "unsubscribe" in the subject of your
> message to cust-security-announce-leave at cisco.com
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


More information about the cisco-voip mailing list