[cisco-voip] DRS Backup Decrypter - Decrypt Failure After Patching

Ed Puzziferri epuzziferri at factset.com
Mon Apr 18 10:26:14 EDT 2016


We have been using COBRAS for years, it works fine backing up messages and restoring if necessary, although we rarely ever have to restore a mailbox. We run it on one of our windows 2008 servers that’s used to run a bunch of random applications/task.  The guy from Cisco who developed COBRAS is also very involved and helpful when problems arise.

The only caveat I see is, if you have very large, or many message stores, using it may be cumbersome since I think it can only backup 15 gig at a time.

Ed

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Anthony Holloway
Sent: Monday, April 18, 2016 10:14 AM
To: Pete Brown
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] DRS Backup Decrypter - Decrypt Failure After Patching

As an alternative to DRS, when it comes to restoring messages in Unity Connection, would COBRAS export/import work?

COBRAS export has a schedule feature, where you can run it as often as you like, and for only certain mailboxes (E.g., Executive leadership, department mailboxes, etc.).

Read a little more about COBRAS export schedule here:

http://www.ciscounitytools.com/Applications/General/COBRAS/Help/COBRAS_Briefcase/COBRAS_Briefcase.htm#_Toc383446513

I haven't seen anyone doing this, I just know that it's out there.  Does anyone have any experience with setting up COBRAS to run on a schedule, exporting all or specific mailboxes, and then restoring messages?



On Fri, Apr 15, 2016 at 5:25 PM, Pete Brown <jpb at chykn.com<mailto:jpb at chykn.com>> wrote:

They're definitely covering the bases on this one.  There are a total of 6 Cisco Bug IDs directly related to this.  Looks like one for each file on each product that would have contained the plaintext random key.  I guess it was only a matter of time.  As much as I hate to see this particular door closed, I understand and agree with the logic behind it.



http://www.securityfocus.com/bid/83103/discuss



To those in the DRS group, I apologize for any headache this has caused.  But please do not put any additional restrictions in place to unlocking backup data.  As customers, we have a legitimate need to access data from backups without having to perform a full restore.  Some customers do not have the resources necessary to stand up sandbox environments for restores.  Even if they do, an engineer should not have to spend an entire day restoring a system in order to fulfill a voicemail extraction request from legal.  That's the reason this program was written to begin with.  DRS Message Fisher wasn't updated with an option to open encrypted backup sets by inputting the cluster security password.



Thanks,

Pete
Multiple Cisco Unified Products CVE-2016-1319 Information Disclosure Vulnerability<http://www.securityfocus.com/bid/83103/discuss>
www.securityfocus.com<http://www.securityfocus.com>
SecurityFocus is designed to facilitate discussion on computer security related topics, create computer security awareness, and to provide the Internet's largest and most comprehensive database of computer security knowledge and resources to the public. It also hosts the BUGTRAQ mailing list.



________________________________
From: Pete Brown <jpb at chykn.com<mailto:jpb at chykn.com>>
Sent: Friday, April 15, 2016 3:42 PM
To: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: DRS Backup Decrypter - Decrypt Failure After Patching


Looks like the party is going to be over for decrypting backup sets without requiring the cluster security password...



https://quickview.cloudapps.cisco.com/quickview/bug/CSCuv8592<https://quickview.cloudapps.cisco.com/quickview/bug/CSCuv85926>



All encrypted DRS backup sets until now have contained a plaintext copy of the randomly generated backup key.  It lists the known affected releases as 10.5(2.12901.1), but this goes all the way from 8.0 to 11.5 and affects CUCM,  UCON and UCCX.  This is how the decrypter has been able to decrypt backup sets without the cluster security password.



Once this is patched, you may no longer be able to decrypt backups even if you type in the correct password.  If you run into this, please let me know and I'll work on an update.



Thanks,

Pete

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160418/1fc9a9da/attachment.html>


More information about the cisco-voip mailing list