CERT-In Advisory CIAD-2008-07
Cisco Unified Communications Manager CTL Provider Heap Overflow
Original issue date:
January 28, 2008
Severity Rating: Medium
Systems Affected
- Cisco Unified Call Manager 4.0
- Cisco Unified Call Manager 4.1 Versions prior to 4.1(3)SR5c
- Cisco Unified Communications Manager 4.2 Versions prior to 4.2(3)SR3
- Cisco Unified Communications Manager 4.3 Versions prior to 4.3(1)SR1
Overview
CUCM contains heap overflow vulnerability in TLS component which may allow an unauthenticated remote user to cause a DoS condition or execution of arbitrary code.
Description
In Cisco IP telephony, CUCM (Cisco Unified Communication Manager) is a component which processes the calls. To verify the identity of CUCM servers, CTL (Certificate Trusted List) is used by Cisco IP phones, which in turn uses public keys, and CTL provider service (CTLProvider.exe) is used for provisioning CTL. Vulnerability has been reported in CTL provider service of CUCM, which may allow an unauthenticated remote user to cause a DoS condition.
Workaround
- Disable the CTL provider service if not in use
- By using access-list allow limited access to CUCM
Vendor Information
CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml
References SecurityFocus
http://www.securityfocus.com/bid/27313
Secunia
http://secunia.com/advisories/28530/
DVLabs
http://dvlabs.tippingpoint.com/advisory/TPTI-08-02
CVE-Name
CVE-2008-0027
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
