Summary

• A denial of service (DoS) vulnerability exists in Jabber Extensible Communications Platform (Jabber XCP) and Cisco Unified Presence. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious XML to an affected server. Successful exploitation of this vulnerability could cause elevated memory and CPU utilization, resulting in memory exhaustion and process crashes. Repeated exploitation could result in a sustained DoS condition.

  There are no workarounds available to mitigate exploitation of this vulnerability.

  This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-xcpcupsxml.

Affected Products

• Vulnerable Products

  The following versions of Cisco Unified Presence and Jabber Extensible Communications Platform (Jabber XCP) are affected by the vulnerability in this advisory. JabberNow appliances are also affected if they are running a vulnerable version of Jabber XCP software.

  Cisco Unified Presence

  All versions of Cisco Unified Presence prior to 8.5(4) are affected by the vulnerability in this advisory.

  Jabber XCP and JabberNow Appliances

  The following Jabber XCP software versions are affected by the vulnerability in this advisory:

  Versions	Builds
  2.X	All builds
  3.X	All builds
  4.X	All builds
  5.0	All builds
  5.1	All builds
  5.2	All builds
  5.4	Prior to 5.4.0.27581
  5.8	Prior to 5.8.1.27561

  Note: JabberNow appliances that are running these software versions are also affected by the vulnerability in this advisory.

  Determining Cisco Unified Presence Software Versions

  To determine the running version of Cisco Unified Presence software, issue the show version active command from the command line interface.

  The following example shows Cisco Unified Presence software version 8.6.0:

  admin: show version active
  Active Master Version: 8.6.0.97041-43

  Determining Jabber XCP Software Versions

  To determine the running version of Jabber XCP software, find the JABBER_VERSION in the [JABBER_HOME]/var/cache/xcp_vars.sh file.

  The following example shows Jabber XCP software version 5.8.1.17421:

  JABBER_VERSION=5.8.1.17421

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by this vulnerability.

Details

• Jabber XCP and Cisco Unified Presence provide an open and extensible platform that facilitates the secure exchange of availability and instant messaging (IM) information.

  The XML parsers in Jabber XCP (including JabberNow appliances) and Cisco Unified Presence are vulnerable to the Exponential Entity Expansion attack. This attack is also known as an XML Bomb referring to an XML document that is valid according to the rules of an XML schema yet results in the hanging or crash of the parser or underlying server. The attack is often referred to as the Billion Laughs Attack because many proof of concept examples caused XML parsers to expand the string lol or ha up to a billion times or until server resources were exhausted.

  The attack combines certain properties of XML to create valid but malicious XML using an extreme level of nested substitutions. When an XML parser attempts to expand all the nested entities it quickly exhausts all server resources.

  This technique will cause the XML parsers in Cisco Unified Presence and Jabber XCP (including JabberNow appliances) to trigger high CPU and memory usage resulting in process crashes. The attack affects both client-to-server connections as well as server-to-server (federation) links.

  This vulnerability is documented in the following Cisco bug IDs:

  • CSCtq78106 ( registered customers only)
  • CSCtq89842 ( registered customers only)
  • CSCtq88547 ( registered customers only)

  This vulnerability was assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-3287 for Cisco bug ID CSCtq78106 and CVE ID CVE-2011-3288 for Cisco bug IDs CSCtq89842 and CSCtq88547.

Workarounds

• There are no available workarounds to mitigate this vulnerability.

Fixed Software

• When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

  Cisco Unified Presence Software Version	First Fixed Release
  All versions prior to 8.5(4)	Upgrade to 8.5(4)

  Jabber XCP Software Version, Including JabberNow Appliances	First Fixed Release
  Versions prior to 4.X	These versions are vulnerable but are End of Life. No fixed software will be made available. Cisco highly recommends that customers using one of these versions migrate to a supported version.
  Versions 4.X - 5.2	Migrate to 5.4.0.27581, 5.8.1.27561, or higher
  Version 5.4	Upgrade to 5.4.0.27581, 5.8.1.27561, or higher
  Version 5.8	Upgrade to 5.8.1.27561 or higher

Exploitation and Public Announcements

• XML entity expansion attacks are well known, but Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability against the Cisco products in this advisory.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-xcpcupsxml

Revision History

• Revision 1.1	2012-July-18	Updated advisory metatags.
  Revision 1.0	2011-September-28	Initial public release.

  Show Less