CERT-In Advisory CIAD-2007-37
Cisco Unified Communications Manager and Presence Server Unauthorized Access Vulnerability
Original issue date:
July 16, 2007
Severity Rating: Medium
Systems Affected
- Cisco Unified CallManager 5.0 and Communications Manager 5.1 versions up to and including 5.1(2)
- Cisco Unified Presence Server 1.0 versions up to and including 1.0(3)
Overview
Cisco Unified Communications Manager and Cisco Unified Presence server are components of Cisco IP telephony solution. These are found vulnerable for unauthorized access. It is possible for an attacker to activate/terminate the service, leak the SNMP information and create DoS condition.
Description
Cisco Unified Communications Manager (CUCM) formerly CallManager, extends enterprise telephony features and capabilities to packet telephony network devices such as IP phones, media processing devices, voice over IP (VoIP) gateways, and multimedia applications like unified messaging, multimedia conferencing etc. Cisco Unified Presence server collects information about a user's availability status and communications capabilities, including whether he is using a communications device such as a phone at a particular time or have Web collaboration or videoconferencing enabled on his system. Cisco Unified Communications Manager and Presence Server are prone to multiple unauthorized-access vulnerabilities. Attackers may exploit these issues to gain access to sensitive information, activate and terminate CUCM / CUPS system services and access SNMP configuration information, and create denial-of-service conditions also.
Workaround
Vendor Information Cisco
http://www.cisco.com/warp/public/707/cisco-sa-20070711-voip.shtml
References
Aus-CERT
https://www.auscert.org.au/render.html?it=7833
Security Focus
http://www.securityfocus.com/bid/24867
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
