HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-56
Cisco Unified Communications Web-based Management Vulnerability

Original issue date: October 24, 2007

Severity Rating: High

Systems Affected

  • Software 7.1(5) of the following component has the vulnerability in Web-View and Web-Admin.

Script monitoring tool (Web View):

  • Cisco Unified Intelligent Contact Management Enterprise (Unified ICME)
  • Cisco Unified ICM Hosted (Unified ICMH)
  • Cisco Unified Contact Center Enterprise (UCCE)
  • Cisco Unified Contact Center Hosted (UCCH)
  • Cisco System Unified Contact Center Enterprise (SUCCE)

Web-based configuration tool (Web Admin):

  • Cisco System Unified Contact Center Enterprise (SUCCE)

Overview

Vulnerability exists in Unified Contact Center and Intelligent Contact Management (ICM) products, which could be exploited to gain unauthorized access to web-based reporting & script monitoring tool (Web View) and web-based configuration tool (Web Admin), and can view the Web View information.

Description

Cisco Unified ICME, Unified ICMH, UCCE, UCCH and SUCCE are the suites being used in Ciso IP telephony. Two vulnerabilities exist in these components that may enable any Windows Active Directory domain defined user to obtain unauthorized privileges. Windows Active Directory users may be able to view Web View report information for any call center instance. Cisco SUCCE is also impacted by unauthorized access to the Web Admin tool, which could allow to change the application configuration.

Workaround
Allow to only trusted hosts by using appropriate access list

Vendor Information

Cisco
http://www.cisco.com/warp/public/707/cisco-sa-20071017-PCC.shtml

References

SecurityFocus
http://www.securityfocus.com/archive/1/482434

AusCert
http://www.auscert.org.au/render.html?it=8224

Ciac
http://www.ciac.org/ciac/bulletins/s-020.shtml

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003