CERT-In Vulnerability Note CIVN-2008-96
Multiple Vulnerabilities in Cisco Unified Communications Manager

Original Issue Date: July 01, 2008

Severity Rating: Medium

System Affected

• Cisco Unified CallManager 4.1 versions
• Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4
• Cisco Unified Communications Manager 4.3 versions prior to 4.3(2)SR1
• Cisco Unified Communications Manager 5.x versions prior to 5.1(3c)
• Cisco Unified Communications Manager 6.x versions prior to 6.1(2)

Overview

Dual vulnerabilities have been reported in Cisco Unified Communications Manager (formerly Cisco Unified CallManager), exploitation of which could allow an attacker to bypass certain security restrictions or cause a DoS condition.

Description

Cisco Unified Communications Manager is a comprehensive IP communications system of voice, video, data, and mobility products and applications.

1. Cisco Unified Communications Manager CTI Manager     Service Denial of Service Vulnerability (CVE-2008-2061)

Computer Telephony Integration ( CTI) Manager includes the CTI components that interface with the applications separated out of Cisco Unified Communications Manager . With CTIManager, applications can access resources and functionality of all Cisco  Unified Communications Manager in the cluster and have improved failover capability.

Workaround

• Permit access to TCP port 2748 only from networks that contain systems running CTI -enabled applications

2. Cisco Unified Communications Manager RTI Server Data     Collector Service Authentication Bypass Vulnerability
    (CVE-2008-2062 , CVE-2008-2730)

The Cisco Real-Time Information Server (RIS) data collector service is responsible for sending the configured information from the Cisco  Unified Communications Manager database into the RIS database.

Simple Object Access Protocol (SOAP) is a lightweight protocol for exchange of information in a decentralized and distributed environment.

The vulnerability exists due to an error in the Real-Time Information Server (RIS) Data Collector service. This service relies on a Simple Object Access Protocol ( SOAP ) web interface to act as a proxy service so authenticated Real-Time Monitoring Tool client systems can connect and gather Cisco Unified Communications Manager cluster statistics. An attacker could bypass these authentication routines by establishing a connection directly to the TCP port that is associated with the RIS Data Collector service; by default, this port is TCP port 2556 and is user configurable. This connection could allow the attacker to bypass authentication routines and access to potentially sensitive information that pertains to the Cisco Unified Communications Manager cluster which may be used to mount further attacks.

Workarounds

• Permit access to TCP port 2556 only from other CUCM cluster systems
• Configure the RIS Data Collector service to listen on a different port

Solution

Apply appropriate software upgrades as mentioned in CISCO Security Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20080625
-cucm.shtml

Vendor Information

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20080625
-cucm.shtml
http://tools.cisco.com/security/center/viewAlert.x?alertId=16125
http://tools.cisco.com/security/center/viewAlert.x?alertId=16136

References

Secunia
http://secunia.com/advisories/30848/

SecurityFocus
http://www.securityfocus.com/bid/29933
http://www.securityfocus.com/bid/29935

SecurityTracker
http://www.securitytracker.com/alerts/2008/Jun/1020360.html
http://www.securitytracker.com/alerts/2008/Jun/1020361.html

AusCERT
http://www.auscert.org.au/render.html?it=9509

FrSIRT
http://www.frsirt.com/english/advisories/2008/1933

CVE Name
CVE-2008-2061
CVE-2008-2062
CVE-2008-2730

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003