
AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:U/RC:C
-
Cisco Unified Communications Manager (Unified CM) contains multiple vulnerabilities that could be used together to allow an unauthenticated, remote attacker to gather user credentials, escalate privileges, and execute commands to gain full control of the vulnerable system. A successful attack could allow an unauthenticated attacker to access, create or modify information in Cisco Unified CM.
On June 6, 2013, a French security firm, Lexfo, delivered a public presentation on VoIP security that included a demonstration of multiple vulnerabilities used to compromise Cisco Unified CM. During the presentation, the researchers demonstrated a multistaged attack that chained a number of vulnerabilities, which resulted in a complete compromise of the Cisco Unified CM server. The attack chain used the following types of vulnerabilities:- Blind Structured Query Language (SQL) injection
- Command injection
- Privilege escalation
Cisco has released a Cisco Options Package (COP) file that addresses three of the vulnerabilities documented in this advisory. Cisco is currently investigating the remaining vulnerabilities. Workarounds that mitigate these vulnerabilities are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130717-cucm
-
Vulnerable Products
The following products are affected by the vulnerabilities that are described in this advisory:- Cisco Unified Communications Manager 7.1(x)
- Cisco Unified Communications Manager 8.5(x)
- Cisco Unified Communications Manager 8.6(x)
- Cisco Unified Communications Manager 9.0(x)
- Cisco Unified Communications Manager 9.1(x)
Cisco Unified CM is the only product confirmed to be vulnerable to the documented attack. Additional voice products may be affected by one or more of the individual vulnerabilities that are described in this advisory. The following products are being investigated but have not yet been confirmed as vulnerable:- Cisco Emergency Responder
- Cisco Unified Contact Center Express
- Cisco Unified Customer Voice Portal
- Cisco Unified Presence Server/Cisco IM and Presence Service
- Cisco Unity Connection
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Cisco Unified CM is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications.
Blind Structured Query Language Injection Vulnerabilities
Cisco Unified CM and associated products may contain one or more of the following blind SQL injection vulnerabilities. The vulnerabilities may be exploited from an authenticated or unauthenticated context depending on the particular vulnerability.
SQL injection vulnerabilities are due to a failure to perform proper validation of user-supplied requests prior to being used to form an SQL query. An attacker could exploit this behavior by injecting SQL commands. An exploit could allow the attacker to disclose or modify arbitrary information in the database.
The first of the identified vulnerabilities could be exploited by an unauthenticated, remote attacker. An exploit could allow the attacker to use metadata to recreate encrypted information in the database. This metadata could be used to reconstruct encrypted credentials.
This vulnerability is documented in Cisco bug ID CSCuh01051 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2013-3404. This vulnerability applies to Cisco Unified CM versions 9.1(1a) and prior.
The second vulnerability could be exploited by an authenticated, remote attacker. An exploit could allow the attacker to modify or insert additional data into certain tables in the database.
This vulnerability is documented in Cisco bug ID CSCuh81766 (registered customers only) and has been assigned CVE ID CVE-2013-3412. This vulnerability applies to Cisco Unified CM versions 9.1(2) and prior.
These vulnerabilities can be exploited over the default management ports, TCP ports 8080 or 8443.
Hard-Coded Encryption Key
Cisco Unified Communications Manager (Unified CM) contains a hard-coded encryption key used for the encryption of sensitive data stored within the database, and securing computer telephony integration (CTI) communications.
The issue is due to the use of a static symmetric encryption key in all Cisco Unified CM versions. An attacker could exploit this issue by using the secret key to decrypt sensitive data including user credentials. An exploit could allow the attacker to decrypt sensitive system information such as user credentials gained when using other attacks. This issue is documented in Cisco bug ID CSCsc69187 (registered customers only). This issue applies to Cisco Unified CM versions 9.1(2) and prior.
Cisco Unified Presence Server/IM & Presence Service versions 9.1(2) and prior are also affected by this issue. This issue is documented in Cisco bug ID CSCui01756 (registered customers only).
Command Injection Vulnerability
A vulnerability in Cisco Unified Communications Manager (Unified CM) could allow an authenticated, remote attacker to execute commands on the underlying operating system with the privileges of the database user.
The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by submitting malicious input to the affected function.
This vulnerability is documented in Cisco bug ID CSCuh73440 (registered customers only) and has been assigned CVE ID CVE-2013-3402. This vulnerability applies to Cisco Unified CM versions 9.1(2) and prior.
Privilege Escalation Vulnerability
Vulnerabilities in Cisco Unified Communications Manager could allow an authenticated, local attacker to escalate privileges on the system.
The vulnerabilities are due to improper file permissions, environment variables and relative paths in a privileged system script or binary. An attacker could exploit these vulnerabilities by modifying certain system scripts. This could allow the attacker to gain complete control of the affected system.
This first two privilege escalation vulnerabilities are documented in Cisco bug ID CSCuh73454 (registered customers only) and CSCuh87042 (registered customers only) and have been assigned CVE ID CVE-2013-3403.
A third privilege escalation vulnerability is documented in Cisco bug ID CSCui02242 (registered customers only) and has been assigned CVE ID CVE-2013-3434.
A fourth privilege escalation vulnerability is documented in Cisco bug ID CSCui02276 (registered customers only) and has been assigned CVE ID CVE-2013-3433.
These vulnerabilities apply to Cisco Unified CM versions 9.1(1a) and prior.
-
There are no workarounds for the vulnerabilities described in this document.
Additional workaround details are available in the companion Applied Mitigation Bulletin (AMB) at the following location: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=29846
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
There are no Cisco Unified CM versions currently available that contain software fixes for the vulnerabilities described in this advisory. This advisory will be updated as fixed software is made available. In the interim, Cisco has released a Cisco Options Package (COP) file that addresses the following vulnerabilities: CSCuh01051, CSCuh87042 and CSCuh73454.
Customers can download and install the COP file as a solution for the previous vulnerabilities while awaiting fixed software versions.
This package will install on the following system versions:- 7.1.3
- 7.1.5
- 8.5.1
- 8.6.2
- 9.1.1
Products -> Voice and Unified Communications -> IP Telephony -> Unified Communications Platform -> Cisco Unified Communications Manager -> Cisco Unified Communications Manager Version 9.1 -> Unified Communications Manager / CallManager / Cisco Unity Connection Utilities-COP-Files
The COP file mitigates the initial attack vector (CSCuh01051) and reduces the documented attack surface. Application of the COP file is highly recommended for all affected Cisco Unified CM product versions.
-
The blind SQL injection vulnerability (CSCuh01051) was initially reported to Cisco by Emerging Defense, LLC.
These vulnerabilities were demonstrated during the SSTIC 2013 IT security conference in Rennes, France on June 6, 2013, by a French security firm, Lexfo. The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerabilities that are described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1 2013-July-17 Corrected CVSS score to correct the remediation level for privilege escalation vulnerabilities CSCuh73454 and CSCuh87042 (CVE-2013-3403). Two minor wording corrections for clarity. Revision 1.0 2013-July-17 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.