HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-38
Cisco Unified Communications Manager IP Phone Personal Address Book Synchronizer Privilege Escalation Vulnerability

Original Issue Date:March 23, 2009

Severity Rating: High

Systems Affected

  • Cisco Unified CallManager 4.1 versions
  • Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4b
  • Cisco Unified Communications Manager 4.3 versions prior to 4.3(2)SR1b
  • Cisco Unified Communications Manager 5.x versions prior to 5.1(3e)
  • Cisco Unified Communications Manager 6.x versions prior to 6.1(3)
  • Cisco Unified Communications Manager 7.0 versions prior to 7.0(2)

Overview

A vulnerability has been reported in Cisco Unified Communications Manager that could allow a remote attacker to perform actions on the targeted system with elevated privileges.

Description

 Cisco Unified Communications Manager, formerly CallManager, contains a privilege escalation vulnerability in the IP Phone Personal Address Book ( PAB ) . If Cisco Unified Communications Manager is integrated with an external directory service, t he IP Phone Personal Address Book ( PAB ) Synchronizer feature sends certain passwords over the network in clear text. A remote attacker could exploit this flaw after authentication by monitoring the traffic that is passed between their system and the targeted system. The attacker can obtain the passwords and then use the passwords to gain complete administrative access to the target Cisco Unified Communications Manager system.

Solution

Apply appropriate fixed versions as mentioned in CISCO Security Advisory.
http://www.cisco.com/en/US/products/products_security_advisory
09186a0080a8643c.shtml

Vendor Information

CISCO
http://www.cisco.com/en/US/products/products_security_advisory
09186a0080a8643c.shtml

References

 CISCO
http://www.cisco.com/en/US/products/products_security_advisory
09186a0080a8643c.shtml
http://tools.cisco.com/security/center/viewAlert.x?alertId=17775

Security Tracker
http://securitytracker.com/alerts/2009/Mar/1021839.html

CVE Name
CVE-2009-0632


Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003