Hi folks <br><br>Was planning to apply a SR to call manager 5.1.3 this
weekend anyway so may as well patch this too... but I can't find a
5.1.3c version on cco. Latest is 5.1.3b, 5.1.3.3000-5. Any ideas?<br><br>Ed<br><br><div class="gmail_quote">On Wed, Jun 25, 2008 at 12:00 PM, Cisco Systems Product Security Incident Response Team <<a href="mailto:psirt@cisco.com">psirt@cisco.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Cisco Security Advisory: Cisco Unified Communications Manager Denial<br>
of Service and Authentication Bypass<br>
Vulnerabilities<br>
<br>
Advisory ID: cisco-sa-20080625-cucm<br>
<br>
Revision 1.0<br>
<br>
For Public Release 2008 June 25 1600 UTC (GMT)<br>
<br>
+---------------------------------------------------------------------<br>
<br>
Summary<br>
=======<br>
<br>
Cisco Unified Communications Manager (CUCM), formerly Cisco<br>
CallManager, contains a denial of service (DoS) vulnerability in the<br>
Computer Telephony Integration (CTI) Manager service that may cause<br>
an interruption in voice services and an authentication bypass<br>
vulnerability in the Real-Time Information Server (RIS) Data<br>
Collector that may expose information that is useful for<br>
reconnaissance.<br>
<br>
Cisco has released free software updates that address these<br>
vulnerabilities. There are no workarounds for these vulnerabilities.<br>
<br>
This advisory is posted at<br>
<a href="http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml" target="_blank">http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml</a>.<br>
<br>
Affected Products<br>
=================<br>
<br>
Vulnerable Products<br>
+------------------<br>
<br>
The following products are vulnerable:<br>
<br>
* Cisco Unified CallManager 4.1 versions<br>
* Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4<br>
* Cisco Unified Communications Manager 4.3 versions prior to 4.3(2)SR1<br>
* Cisco Unified Communications Manager 5.x versions prior to 5.1(3c)<br>
* Cisco Unified Communications Manager 6.x versions prior to 6.1(2)<br>
<br>
Administrators of systems running Cisco Unified Communications<br>
Manager (CUCM) version 4.x can determine the software version by<br>
navigating to Help > About Cisco Unified CallManager and selecting<br>
the Details button via the CUCM administration interface.<br>
<br>
Administrators of systems that are running CUCM versions 5.x and 6.x<br>
can determine the software version by viewing the main page of the<br>
CUCM administration interface. The software version can also be<br>
determined by running the command show version active via the command<br>
line interface (CLI).<br>
<br>
Products Confirmed Not Vulnerable<br>
+--------------------------------<br>
<br>
Cisco Unified Communications Manager Express is not affected by these<br>
vulnerabilities. No other Cisco products are currently known to be<br>
affected by these vulnerabilities.<br>
<br>
Details<br>
=======<br>
<br>
Cisco Unified Communications Manager (CUCM) is the call processing<br>
component of the Cisco IP Telephony solution that extends enterprise<br>
telephony features and functions to packet telephony network devices,<br>
such as IP phones, media processing devices, VoIP gateways, and<br>
multimedia applications.<br>
<br>
Computer Telephony Integration Manager Related Vulnerability<br>
<br>
The Computer Telephony Integration (CTI) Manager service of CUCM<br>
versions 5.x and 6.x contains a vulnerability when handling malformed<br>
input that may result in a DoS condition. The CTI Manager service<br>
listens by default on TCP port 2748 and is not user-configurable.<br>
There is no workaround for this vulnerability. This vulnerability is<br>
fixed in CUCM versions 5.1(3c) and 6.1(2). This vulnerability is<br>
documented in Cisco Bug ID CSCso75027 and has been assigned Common<br>
Vulnerabilities and Exposures (CVE) identifier CVE-2008-2061.<br>
<br>
Real-Time Information Server Data Collector Related Vulnerability<br>
<br>
The Real-Time Information Server (RIS) Data Collector service of CUCM<br>
versions 4.x, 5.x, and 6.x contains an authentication bypass<br>
vulnerability that may result in the unauthorized disclosure of<br>
certain CUCM cluster information. In normal operation, Real-Time<br>
Monitoring Tool (RTMT) clients gather CUCM cluster statistics by<br>
authenticating to a Simple Object Access Protocol (SOAP) based web<br>
interface. The SOAP interface proxies authenticated connections to<br>
the RIS Data Collector process. The RIS Data Collector service<br>
listens on TCP port 2556 by default and is user configurable. By<br>
connecting directly to the port that the RIS Data Collector process<br>
listens on, it may be possible to bypass authentication checks and<br>
gain read-only access to information about a CUCM cluster. The<br>
information available includes performance statistics, user names,<br>
and configured IP phones. This information may be used to mount<br>
further attacks. No passwords or other sensitive CUCM configuration<br>
may be obtained via this vulnerability. No CUCM configuration changes<br>
can be made.<br>
<br>
There is no workaround for this vulnerability. This vulnerability is<br>
fixed in CUCM versions 4.2(3)SR4, 4.3(2)SR1, 5.1(3), and 6.1(1). For<br>
CUCM 4.x versions, this vulnerability is documented in Cisco Bug ID<br>
CSCsq35151 and has been assigned CVE identifier CVE-2008-2062. For<br>
CUCM 5.x and 6.x versions, this vulnerability is documented in Cisco<br>
Bug ID CSCsj90843 and has been assigned CVE identifier CVE-2008-2730.<br>
<br>
Vulnerability Scoring Details<br>
=============================<br>
<br>
Cisco has provided scores for the vulnerabilities in this advisory<br>
based on the Common Vulnerability Scoring System (CVSS). The CVSS<br>
scoring in this Security Advisory is done in accordance with CVSS<br>
version 2.0.<br>
<br>
CVSS is a standards-based scoring method that conveys vulnerability<br>
severity and helps determine urgency and priority of response.<br>
<br>
Cisco has provided a base and temporal score. Customers can then<br>
compute environmental scores to assist in determining the impact of<br>
the vulnerability in individual networks.<br>
<br>
Cisco has provided an FAQ to answer additional questions regarding<br>
CVSS at:<br>
<br>
<a href="http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html" target="_blank">http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html</a><br>
<br>
Cisco has also provided a CVSS calculator to help compute the<br>
environmental impact for individual networks at:<br>
<br>
<a href="http://intellishield.cisco.com/security/alertmanager/cvss" target="_blank">http://intellishield.cisco.com/security/alertmanager/cvss</a><br>
<br>
<br>
CSCso75027 - CTI Manager TSP Crash<br>
<br>
CVSS Base Score - 7.8<br>
Access Vector - Network<br>
Access Complexity - Low<br>
Authentication - None<br>
Confidentiality Impact - None<br>
Integrity Impact - None<br>
Availability Impact - Complete<br>
<br>
CVSS Temporal Score - 6.4<br>
Exploitability - Functional<br>
Remediation Level - Official Fix<br>
Report Confidence - Confirmed<br>
<br>
CSCsq35151 - RISDC Authentication Bypass<br>
<br>
CVSS Base Score - 5<br>
Access Vector - Network<br>
Access Complexity - Low<br>
Authentication - None<br>
Confidentiality Impact - Partial<br>
Integrity Impact - None<br>
Availability Impact - None<br>
<br>
CVSS Temporal Score - 4.1<br>
Exploitability - Functional<br>
Remediation Level - Official Fix<br>
Report Confidence - Confirmed<br>
<br>
CSCsj90843 - RISDC Authentication Bypass<br>
<br>
CVSS Base Score - 5<br>
Access Vector - Network<br>
Access Complexity - Low<br>
Authentication - None<br>
Confidentiality Impact - Partial<br>
Integrity Impact - None<br>
Availability Impact - None<br>
<br>
CVSS Temporal Score - 4.1<br>
Exploitability - Functional<br>
Remediation Level - Official Fix<br>
Report Confidence - Confirmed<br>
<br>
Impact<br>
======<br>
<br>
Successful exploitation of the vulnerabilities in this advisory may<br>
result in the interruption of voice services or disclosure of<br>
information useful for reconnaissance.<br>
<br>
Software Versions and Fixes<br>
===========================<br>
<br>
When considering software upgrades, also consult <a href="http://www.cisco.com/go/psirt" target="_blank">http://www.cisco.com/go/psirt</a><br>
and any subsequent advisories to determine exposure and a<br>
complete upgrade solution.<br>
<br>
In all cases, customers should exercise caution to be certain the<br>
devices to be upgraded contain sufficient memory and that current<br>
hardware and software configurations will continue to be supported<br>
properly by the new release. If the information is not clear, contact<br>
the Cisco Technical Assistance Center (TAC) or your contracted<br>
maintenance provider for assistance.<br>
<br>
Cisco Unified Communications Manager (CUCM) version 4.2(3)SR4<br>
contains fixes for all vulnerabilities affecting CUCM version 4.2<br>
listed in this advisory. Cisco Unified CallManager 4.1 version<br>
administrators are encouraged to upgrade to CUCM version 4.2(3)SR4 in<br>
order to obtain fixed software. Version 4.2(3)SR4 can be downloaded<br>
at the following link:<br>
<br>
<a href="http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280264388&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20CallManager%20Version%204.2&isPlatform=N&treeMdfId=278875240&modifmdid=null&imname=null&hybrid=Y&imst=N" target="_blank">http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280264388&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20CallManager%20Version%204.2&isPlatform=N&treeMdfId=278875240&modifmdid=null&imname=null&hybrid=Y&imst=N</a><br>
<br>
CUCM version 4.3(2)SR1 contains fixes for all vulnerabilities<br>
affecting CUCM version 4.3 listed in this advisory and is scheduled<br>
to be released in mid-July, 2008. Version 4.3(2)SR1 will be available<br>
for download at the following link:<br>
<br>
<a href="http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280771554&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%204.3&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N" target="_blank">http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280771554&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%204.3&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N</a><br>
<br>
CUCM version 5.1(3c) contains fixes for all vulnerabilities affecting<br>
CUCM version 5.x listed in this advisory. Version 5.1(3c) can<br>
downloaded at the following link:<br>
<br>
<a href="http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=null&isPlatform=Y&mdfid=280735907&sftType=Unified%20Communications%20Manager%20Updates&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20Communications%20Manager%20Version%205.1&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N" target="_blank">http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=null&isPlatform=Y&mdfid=280735907&sftType=Unified%20Communications%20Manager%20Updates&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20Communications%20Manager%20Version%205.1&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N</a><br>
<br>
CUCM version 6.1(2) contains fixes for all vulnerabilities affecting<br>
CUCM version 6.x listed in this advisory. Version 6.1(2) can be<br>
downloaded at the following link:<br>
<br>
<a href="http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=281023410&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%206.1&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N" target="_blank">http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=281023410&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%206.1&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N</a><br>
<br><br>
_______________________________________________<br>
cisco-nsp mailing list <a href="mailto:cisco-nsp@puck.nether.net">cisco-nsp@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-nsp" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-nsp</a><br>
archive at <a href="http://puck.nether.net/pipermail/cisco-nsp/" target="_blank">http://puck.nether.net/pipermail/cisco-nsp/</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Ed Leatherman<br>Senior Voice Engineer<br>West Virginia University<br>Telecommunications and Network Operations