[cisco-voip] DRS Backup Decrypter - Decrypt Failure After Patching

Anthony Holloway avholloway+cisco-voip at gmail.com
Mon Apr 18 10:13:46 EDT 2016


As an alternative to DRS, when it comes to restoring messages in Unity
Connection, would COBRAS export/import work?

COBRAS export has a schedule feature, where you can run it as often as you
like, and for only certain mailboxes (E.g., Executive leadership,
department mailboxes, etc.).

Read a little more about COBRAS export schedule here:

http://www.ciscounitytools.com/Applications/General/COBRAS/Help/COBRAS_Briefcase/COBRAS_Briefcase.htm#_Toc383446513

I haven't seen anyone doing this, I just know that it's out there.  Does
anyone have any experience with setting up COBRAS to run on a schedule,
exporting all or specific mailboxes, and then restoring messages?



On Fri, Apr 15, 2016 at 5:25 PM, Pete Brown <jpb at chykn.com> wrote:

> They're definitely covering the bases on this one.  There are a total of 6
> Cisco Bug IDs directly related to this.  Looks like one for each file on
> each product that would have contained the plaintext random key.  I guess
> it was only a matter of time.  As much as I hate to see this particular
> door closed, I understand and agree with the logic behind it.
>
>
> http://www.securityfocus.com/bid/83103/discuss
>
>
> To those in the DRS group, I apologize for any headache this has caused.
> But please do not put any additional restrictions in place to unlocking
> backup data.  As customers, we have a legitimate need to access data from
> backups without having to perform a full restore.  Some customers do not
> have the resources necessary to stand up sandbox environments for
> restores.  Even if they do, an engineer should not have to spend an entire
> day restoring a system in order to fulfill a voicemail extraction request
> from legal.  That's the reason this program was written to begin with.  DRS
> Message Fisher wasn't updated with an option to open encrypted backup sets
> by inputting the cluster security password.
>
>
> Thanks,
>
> Pete
>
> <http://www.securityfocus.com/bid/83103/discuss>
> Multiple Cisco Unified Products CVE-2016-1319 Information Disclosure
> Vulnerability <http://www.securityfocus.com/bid/83103/discuss>
> www.securityfocus.com
> SecurityFocus is designed to facilitate discussion on computer security
> related topics, create computer security awareness, and to provide the
> Internet's largest and most comprehensive database of computer security
> knowledge and resources to the public. It also hosts the BUGTRAQ mailing
> list.
>
>
>
>
> ------------------------------
> *From:* Pete Brown <jpb at chykn.com>
> *Sent:* Friday, April 15, 2016 3:42 PM
> *To:* cisco-voip at puck.nether.net
> *Subject:* DRS Backup Decrypter - Decrypt Failure After Patching
>
>
> Looks like the party is going to be over for decrypting backup sets
> without requiring the cluster security password...
>
>
> https://quickview.cloudapps.cisco.com/quickview/bug/CSCuv8592
> <https://quickview.cloudapps.cisco.com/quickview/bug/CSCuv85926>
>
>
> All encrypted DRS backup sets until now have contained a plaintext copy of
> the randomly generated backup key.  It lists the known affected releases
> as 10.5(2.12901.1), but this goes all the way from 8.0 to 11.5 and affects
> CUCM,  UCON and UCCX.  This is how the decrypter has been able to decrypt
> backup sets without the cluster security password.
>
>
> Once this is patched, you may no longer be able to decrypt backups even if
> you type in the correct password.  If you run into this, please let me know
> and I'll work on an update.
>
>
> Thanks,
>
> Pete
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160418/be13e1fb/attachment.html>


More information about the cisco-voip mailing list