Advisory ID: cisco-sa-20130508-cvp

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130508-cvp

Revision 1.3

Last Updated  2013 August 28 13:25  UTC (GMT)

For Public Release 2013 May 8 16:00  UTC (GMT)


Contents

Summary
Affected Products
Details
Vulnerability Scoring Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: Final
Distribution
Revision History
Cisco Security Procedures

Summary

Cisco Unified Customer Voice Portal Software (Unified CVP) contains multiple vulnerabilities. Various components of Cisco Unified CVP are affected; see the "Details" section for more information on the vulnerabilities. These vulnerabilities can be exploited independently; however, more than one vulnerability could be exploited on the same device.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130508-cvp

Affected Products

Vulnerable Products

Cisco Unified CVP Software versions prior to 9.0.1 ES 11 are vulnerable.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

Cisco Unified CVP is an interactive voice response (IVR) system that enables customers to retrieve information they need from the contact center.

Cisco Unified Customer Voice Portal Software SIP INVITE Packet Vulnerability
A malformed SIP INVITE vulnerability exists in the CallServer component of the Cisco Unified CVP could allow an unauthenticated, remote attacker to cause the system to not accept new calls.
The vulnerability is due to improper processing of malformed SIP INVITE packets. An attacker could exploit this vulnerability by sending malformed SIP INVITE packets to a Cisco Unified CVP server.
This vulnerability is documented in Cisco Bug ID CSCua65148 (registered customers only) and has been assigned CVE ID CVE-2013-1220.

Cisco Unified Customer Voice Portal Software Tomcat Web Application Vulnerability
A Tomcat web application vulnerability in the Tomcat Web Management component of the Cisco Unified CVP could allow an unauthenticated, remote attacker to escalate privileges and gain administrator access.
The vulnerability is due to improper configuration of Tomcat components.
This vulnerability is documented in Cisco Bug ID CSCub38384 (registered customers only) and has been assigned CVE ID CVE-2013-1221.

Cisco Unified Customer Voice Portal Software Tomcat Configuration Vulnerability
A Tomcat web application vulnerability in the Tomcat Web Management component of the Cisco Unified CVP could allow an unauthenticated, remote attacker to execute unauthorized user-supplied web applications.
The vulnerability is due to improper configuration of Tomcat components.
This vulnerability is documented in Cisco Bug ID CSCub38379 (registered customers only) and has been assigned CVE ID CVE-2013-1222.

Cisco Unified Customer Voice Portal Software File Access Vulnerability
A file access vulnerability in the log viewer of the Cisco Unified CVP could allow an unauthenticated, remote attacker to view arbitrary system files.
The vulnerability is due to an incorrect parameter check. An attacker could exploit this vulnerability by sending a crafted request to the log viewer.
This vulnerability is documented in Cisco Bug ID CSCub38372 (registered customers only) and has been assigned CVE ID CVE-2013-1223.

Cisco Unified Customer Voice Portal Software Path Traversal Vulnerability
A path traversal vulnerability in the Resource Manager component of the Cisco Unified CVP that could allow an unauthenticated, remote attacker to overwrite system files.
The vulnerability is due to an incorrect parameter check. An attacker could exploit this vulnerability by sending a crafted request to the Resource Manager.
This vulnerability is documented in Cisco Bug ID CSCub38369 (registered customers only) and has been assigned CVE ID CVE-2013-1224.

Cisco Unified Customer Voice Portal Software XML Entity Expansion Vulnerability
A file access vulnerability in the Cisco Unified CVP that could allow an unauthenticated, remote attacker to view arbitrary system files.
The vulnerability is due to a missing check for XML entity expansion. An attacker could exploit this vulnerability by sending a crafted request to the Resource Manager.
This vulnerability is documented in Cisco Bug ID CSCub38366 (registered customers only) and has been assigned CVE ID CVE-2013-1225.

Vulnerability Scoring Details

Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.

Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.

Cisco has provided additional information regarding CVSS at the following link:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link:

http://intellishield.cisco.com/security/alertmanager/cvss



CSCua65148 - Cisco Unified Customer Voice Portal Software SIP INVITE Packet Vulnerability

Calculate the environmental score of CSCua65148

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

None

None

Complete

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed




CSCub38384 - Cisco Unified Customer Voice Portal Software Tomcat Web Application Vulnerability

Calculate the environmental score of CSCub38384

CVSS Base Score - 10.0

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

Complete

Complete

Complete

CVSS Temporal Score - 8.3

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed




CSCub38379 - Cisco Unified Customer Voice Portal Software Tomcat Configuration Vulnerability

Calculate the environmental score of CSCub38379

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

None

Complete

None

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed




CSCub38372 - Cisco Unified Customer Voice Portal Software File Access Vulnerability

Calculate the environmental score of CSCub38372

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

Complete

None

None

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed




CSCub38369 - Cisco Unified Customer Voice Portal Software Path Traversal Vulnerability

Calculate the environmental score of CSCub38369

CVSS Base Score - 7.1

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

None

Complete

None

CVSS Temporal Score - 5.9

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed




CSCub38366 - Cisco Unified Customer Voice Portal Software XML Entity Expansion Vulnerability

Calculate the environmental score of CSCub38366

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

Complete

None

None

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed



Impact

Successful exploitation of these vulnerabilities may have various impacts.

Successful exploitation of the Cisco Unified Customer Voice Portal Software SIP INVITE Packet Vulnerability documented in Cisco Bug ID CSCua65148 (registered customers only) could allow an unauthenticated, remote attacker to cause the system to not accept new calls.

Successful exploitation of the Cisco Unified Customer Voice Portal Software Tomcat Web Application Vulnerability documented in Cisco Bug ID CSCub38384 (registered customers only) could allow an unauthenticated, remote attacker to escalate privileges and gain administrator access.

Successful exploitation of the Cisco Unified Customer Voice Portal Software Tomcat Configuration Vulnerability documented in Cisco Bug ID CSCub38379 (registered customers only) could allow an unauthenticated, remote attacker to execute unauthorized user-supplied web applications.

Successful exploitation of the Cisco Unified Customer Voice Portal Software File Access Vulnerability documented in Cisco Bug ID CSCub38372 (registered customers only) could allow an unauthenticated, remote attacker to view arbitrary system files.

Successful exploitation of the Cisco Unified Customer Voice Portal Software Path Traversal Vulnerability documented in Cisco Bug ID CSCub38369 (registered customers only) could allow an unauthenticated, remote attacker to overwrite system files.

Successful exploitation of the Cisco Unified Customer Voice Portal Software XML Entity Expansion Vulnerability documented in Cisco Bug ID CSCub38366 (registered customers only) could allow an unauthenticated, remote attacker to view arbitrary system files.

Software Versions and Fixes

When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

These vulnerabilities are fixed in the Cisco Unified CVP Software version 9.0.1 ES 11. All customers are encouraged to upgrade to this version or later.

Cisco Unified CVP Software version 9.0.1 ES 11 is available at the following link:

http://software.cisco.com/download/special/release.html?config=c51444496bd899c41331b5ad20b97954

Cisco Unified CVP Software version 8.5.1 ES 24 is available at the following link:

http://software.cisco.com/download/special/release.html?config=63b2b5a81375b982efe33705d44476b7

Cisco Unified CVP Software version 8.0.1 ES 15 is available at the following link:

http://software.cisco.com/download/special/release.html?config=1cbb5a9aab303602c24e4422e8b72e62

Other downloads for Cisco Unified CVP Software are available at the following link:

http://software.cisco.com/download/type.html?mdfid=270563413&catid=null

Workarounds

A workaround is available for the Cisco Unified Customer Voice Portal Software XML Entity Expansion Vulnerability documented in Cisco Bug ID CSCub38366 (registered customers only).

To implement the workaround for the Cisco Unified Customer Voice Portal Software XML Entity Expansion Vulnerability, the communication between the Cisco Unified CVP devices must be secured using SSL. For more information on how to secure the communications between Cisco Unified CVP devices, refer to the "Unified CVP security" section of the Configuration and Administration Guide for Cisco Unified CVP at the following location:

http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/customer_voice_portal/cvp9_0/configuration/guide/CCVP_BK_CA6D87A1_00_cvp-configuration-and-administration-guide.pdf

A workaround is available for the Cisco Unified Customer Voice Portal Software Tomcat Web Application Vulnerability documented in Cisco Bug ID CSCub38384 (registered customers only).

To implement the workaround for the Cisco Unified Customer Voice Portal Software Tomcat Web Application Vulnerability, the Manager and Host-Manager web applications must be removed manually from the Tomcat instances on CVP servers. Follow the instructions to remove the Manager and Host-Manager web applications:

Stop the services of respective server:
The “manager” and “host-manager” web applications need to be manually removed from Tomcat instances of your CVP servers.
CVP VXML Server
Go to the C:\Cisco\CVP\VXMLServer\Tomcat\server\webapps folder. Delete the Manager and Host-Manager folders.

CVP Call Server
Go to the C:\Cisco\CVP\CallServer\Tomcat\server\webapps folder. Delete the Manager and Host-Manager folders.

CVP Operation Console Server
Go to the C:\Cisco\CVP\OPSConsoleServer\Tomcat\server\webapps folder. Delete the Manager and Host-Manager folders.

CVP Reporting Server
Go to the C:\Cisco\CVP\CallServer\Tomcat\server\webapps folder. Delete the Manager and Host-Manager folders.
A workaround is available for the CVP: Insecure Tomcat Configuration Instance documented in Cisco Bug ID CSCub38379 (registered customers only).

To implement the workaround for the CVP: Insecure Tomcat Configuration Instance, follow these steps:

Stop the service of VXML Server:

Go to the C:\Cisco\CVP\VXMLServer\Tomcat\conf folder and edit server.xml file.

Modify autoDeploy to false. Earlier it was true.

<Host appBase="webapps" autoDeploy="false"

Start the Service VXML server.
None of the other vulnerabilities published in this document have workarounds.

Additional workaround details are available in the companion Applied Mitigation Bulletin (AMB) at the following location:

http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=28982

Obtaining Fixed Software

Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Navigator on Cisco.com at http://www.cisco.com/cisco/software/navigator.html.

Customers using Third Party Support Organizations

Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action.

The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.

Customers without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC.

Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

These vulnerabilities were reported to Cisco by Alex Senkevitch.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco Security Intelligence Operations at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130508-cvp

Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses:

Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates.


Revision History

Revision 1.3 2013-August-28 Updated Workarounds section.
Revision 1.2 2013-July-30 Added location of patches for 8.x releases.
Revision 1.1 2013-May-10 Updated Workarounds and Software Versions and Fixes sections.
Revision 1.0 2013-May-08 Initial public release.

Cisco Security Procedures

Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.