Cisco Security Advisory
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
Cisco Unified Communications Manager (CUCM), formerly Cisco CallManager, contains a denial of service (DoS) vulnerability in the Computer Telephony Integration (CTI) Manager service that may cause an interruption in voice services and an authentication bypass vulnerability in the Real-Time Information Server (RIS) Data Collector that may expose information that is useful for reconnaissance.
Cisco has released software updates that address these vulnerabilities. There are no workarounds for these vulnerabilities.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080625-cucm.
-
Vulnerable Products
The following products are vulnerable:
-
Cisco Unified CallManager 4.1 versions
-
Cisco Unified Communications Manager 4.2 versions prior to
4.2(3)SR4
-
Cisco Unified Communications Manager 4.3 versions prior to
4.3(2)SR1
-
Cisco Unified Communications Manager 5.x versions prior to
5.1(3c)
-
Cisco Unified Communications Manager 6.x versions prior to
6.1(2)
Administrators of systems running Cisco Unified Communications Manager (CUCM) version 4.x can determine the software version by navigating to Help > About Cisco Unified CallManager and selecting the Details button via the CUCM administration interface.
Administrators of systems that are running CUCM versions 5.x and 6.x can determine the software version by viewing the main page of the CUCM administration interface. The software version can also be determined by running the command show version active via the command line interface (CLI).
Products Confirmed Not Vulnerable
Cisco Unified Communications Manager Express is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities.
-
Cisco Unified CallManager 4.1 versions
-
Cisco Unified Communications Manager (CUCM) is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications.
Computer Telephony Integration Manager Related Vulnerability
The Computer Telephony Integration (CTI) Manager service of CUCM versions 5.x and 6.x contains a vulnerability when handling malformed input that may result in a DoS condition. The CTI Manager service listens by default on TCP port 2748 and is not user-configurable. There is no workaround for this vulnerability. This vulnerability is fixed in CUCM versions 5.1(3c) and 6.1(2). This vulnerability is documented in Cisco Bug ID CSCso75027 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2061.
Real-Time Information Server Data Collector Related Vulnerability
The Real-Time Information Server (RIS) Data Collector service of CUCM versions 4.x, 5.x, and 6.x contains an authentication bypass vulnerability that may result in the unauthorized disclosure of certain CUCM cluster information. In normal operation, Real-Time Monitoring Tool (RTMT) clients gather CUCM cluster statistics by authenticating to a Simple Object Access Protocol (SOAP) based web interface. The SOAP interface proxies authenticated connections to the RIS Data Collector process. The RIS Data Collector service listens on TCP port 2556 by default and is user configurable. By connecting directly to the port that the RIS Data Collector process listens on, it may be possible to bypass authentication checks and gain read-only access to information about a CUCM cluster. The information available includes performance statistics, user names, and configured IP phones. This information may be used to mount further attacks. No passwords or other sensitive CUCM configuration may be obtained via this vulnerability. No CUCM configuration changes can be made.
There is no workaround for this vulnerability. This vulnerability is fixed in CUCM versions 4.2(3)SR4, 4.3(2)SR1, 5.1(3), and 6.1(1). For CUCM 4.x versions, this vulnerability is documented in Cisco Bug ID CSCsq35151 and has been assigned CVE identifier CVE-2008-2062. For CUCM 5.x and 6.x versions, this vulnerability is documented in Cisco Bug ID CSCsj90843 and has been assigned CVE identifier CVE-2008-2730.
-
CTI Manager Related Vulnerability
It is possible to mitigate the CTI Manager vulnerability (CSCso75027) by implementing filtering on screening devices. Administrators are advised to permit access to TCP port 2748 only from networks that contain systems running CTI-enabled applications.
RIS Data Collector Related Vulnerability
It is possible to mitigate the RIS Data Collector vulnerability (CSCsq35151 and CSCsj90843) by implementing filtering on screening devices. Administrators are advised to permit access to TCP port 2556 only from other CUCM cluster systems.
It is possible to change the default port (TCP 2556) of the RIS Data Collector service. If changed, filtering should be based on the values used. The values of the ports can be viewed in the Cisco Unified Communications Manager (CUCM) administration interface by following the System > Service Parameters menu and selecting the appropriate service.
Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Cisco Unified Communications Manager (CUCM) version 4.2(3)SR4 contains fixes for all vulnerabilities affecting CUCM version 4.2 listed in this advisory. Cisco Unified CallManager 4.1 version administrators are encouraged to upgrade to CUCM version 4.2(3)SR4 in order to obtain fixed software. Version 4.2(3)SR4 can be downloaded at the following link:
CUCM version 4.3(2)SR1 contains fixes for all vulnerabilities affecting CUCM version 4.3 listed in this advisory and is scheduled to be released in mid-July, 2008. Version 4.3(2)SR1 will be available for download at the following link:
CUCM version 5.1(3c) contains fixes for all vulnerabilities affecting CUCM version 5.x listed in this advisory. Version 5.1(3c) can downloaded at the following link:
CUCM version 6.1(2) contains fixes for all vulnerabilities affecting CUCM version 6.x listed in this advisory. Version 6.1(2) can be downloaded at the following link:
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. We would like to thank VoIPshield for working with us towards the goal of keeping Cisco networks and the Internet, as a whole, secure.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show Less
Revision 1.0
2008-June-25
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.