Advisory ID: cisco-sa-20130717-cucm

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130717-cucm

Revision 1.1

Last Updated  2013 July 17 18:00  UTC (GMT)

For Public Release 2013 July 17 16:00  UTC (GMT)


Contents

Summary
Affected Products
Details
Vulnerability Scoring Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: Final
Distribution
Revision History
Cisco Security Procedures

Summary

Cisco Unified Communications Manager (Unified CM) contains multiple vulnerabilities that could be used together to allow an unauthenticated, remote attacker to gather user credentials, escalate privileges, and execute commands to gain full control of the vulnerable system. A successful attack could allow an unauthenticated attacker to access, create or modify information in Cisco Unified CM.

On June 6, 2013, a French security firm, Lexfo, delivered a public presentation on VoIP security that included a demonstration of multiple vulnerabilities used to compromise Cisco Unified CM. During the presentation, the researchers demonstrated a multistaged attack that chained a number of vulnerabilities, which resulted in a complete compromise of the Cisco Unified CM server. The attack chain used the following types of vulnerabilities:

Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports.

Cisco has released a Cisco Options Package (COP) file that addresses three of the vulnerabilities documented in this advisory. Cisco is currently investigating the remaining vulnerabilities. Workarounds that mitigate these vulnerabilities are not available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130717-cucm

Affected Products

Vulnerable Products

The following products are affected by the vulnerabilities that are described in this advisory: Note: Cisco Unified CM version 8.0 reached the End of Software Maintenance on October 23, 2012. Customers using Cisco Unified CM 8.0(x) versions should contact their Cisco support team for assistance in upgrading to a supported version of Cisco Unified CM.

Cisco Unified CM is the only product confirmed to be vulnerable to the documented attack. Additional voice products may be affected by one or more of the individual vulnerabilities that are described in this advisory. The following products are being investigated but have not yet been confirmed as vulnerable:

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

Cisco Unified CM is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications.

Blind Structured Query Language Injection Vulnerabilities

Cisco Unified CM and associated products may contain one or more of the following blind SQL injection vulnerabilities. The vulnerabilities may be exploited from an authenticated or unauthenticated context depending on the particular vulnerability.

SQL injection vulnerabilities are due to a failure to perform proper validation of user-supplied requests prior to being used to form an SQL query. An attacker could exploit this behavior by injecting SQL commands. An exploit could allow the attacker to disclose or modify arbitrary information in the database.

The first of the identified vulnerabilities could be exploited by an unauthenticated, remote attacker. An exploit could allow the attacker to use metadata to recreate encrypted information in the database. This metadata could be used to reconstruct encrypted credentials.

This vulnerability is documented in Cisco bug ID CSCuh01051 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2013-3404. This vulnerability applies to Cisco Unified CM versions 9.1(1a) and prior.

The second vulnerability could be exploited by an authenticated, remote attacker. An exploit could allow the attacker to modify or insert additional data into certain tables in the database.

This vulnerability is documented in Cisco bug ID CSCuh81766 (registered customers only) and has been assigned CVE ID CVE-2013-3412. This vulnerability applies to Cisco Unified CM versions 9.1(2) and prior.

These vulnerabilities can be exploited over the default management ports, TCP ports 8080 or 8443.

Hard-Coded Encryption Key

Cisco Unified Communications Manager (Unified CM) contains a hard-coded encryption key used for the encryption of sensitive data stored within the database, and securing computer telephony integration (CTI) communications.

The issue is due to the use of a static symmetric encryption key in all Cisco Unified CM versions. An attacker could exploit this issue by using the secret key to decrypt sensitive data including user credentials. An exploit could allow the attacker to decrypt sensitive system information such as user credentials gained when using other attacks. This issue is documented in Cisco bug ID CSCsc69187 (registered customers only). This issue applies to Cisco Unified CM versions 9.1(2) and prior.

Cisco Unified Presence Server/IM & Presence Service versions 9.1(2) and prior are also affected by this issue. This issue is documented in Cisco bug ID CSCui01756 (registered customers only).

Command Injection Vulnerability

A vulnerability in Cisco Unified Communications Manager (Unified CM) could allow an authenticated, remote attacker to execute commands on the underlying operating system with the privileges of the database user.

The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by submitting malicious input to the affected function.

This vulnerability is documented in Cisco bug ID CSCuh73440 (registered customers only) and has been assigned CVE ID CVE-2013-3402. This vulnerability applies to Cisco Unified CM versions 9.1(2) and prior.

Privilege Escalation Vulnerability

Vulnerabilities in Cisco Unified Communications Manager could allow an authenticated, local attacker to escalate privileges on the system.

The vulnerabilities are due to improper file permissions, environment variables and relative paths in a privileged system script or binary. An attacker could exploit these vulnerabilities by modifying certain system scripts. This could allow the attacker to gain complete control of the affected system.

This first two privilege escalation vulnerabilities are documented in Cisco bug ID CSCuh73454 (registered customers only) and CSCuh87042 (registered customers only) and have been assigned CVE ID CVE-2013-3403.

A third privilege escalation vulnerability is documented in Cisco bug ID CSCui02242 (registered customers only) and has been assigned CVE ID CVE-2013-3434.

A fourth privilege escalation vulnerability is documented in Cisco bug ID CSCui02276 (registered customers only) and has been assigned CVE ID CVE-2013-3433.

These vulnerabilities apply to Cisco Unified CM versions 9.1(1a) and prior.

Vulnerability Scoring Details

Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.

Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.

Cisco has provided additional information regarding CVSS at the following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss

CSCuh01051- Cisco Unified Communications Manager Blind SQL Injection Vulnerability

Calculate the environmental score of CSCuh01051

CVSS Base Score - 6.4

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

Partial

Partial

None

CVSS Temporal Score - 5.5

Exploitability

Remediation Level

Report Confidence

Functional

Temporary-Fix

Confirmed




CSCuh81766- Cisco Unified Communications Manager Blind Structured Query Language Injection Vulnerabilities

Calculate the environmental score of CSCuh81766

CVSS Base Score - 5.5

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

Single

Partial

Partial

None

CVSS Temporal Score - 5.2

Exploitability

Remediation Level

Report Confidence

Functional

Unavailable

Confirmed


CSCuh73454 and CSCuh87042- Cisco Unified Communications Manager Privilege Escalation Vulnerability

Calculate the environmental score of CSCuh73454 and CSCuh87042

CVSS Base Score - 6.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Local

Low

Single

Complete

Complete

Complete

CVSS Temporal Score - 5.5

Exploitability

Remediation Level

Report Confidence

Proof-of-Concept

Temporary-Fix

Confirmed




CSCuh73440 - Cisco Unified Communications Manager Command Injection Vulnerability

Calculate the environmental score of CSCuh73440

CVSS Base Score - 6.5

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

Single

Partial

Partial

Partial

CVSS Temporal Score - 5.9

Exploitability

Remediation Level

Report Confidence

Proof-of-Concept

Unavailable

Confirmed



CSCui02242 - Cisco Unified Communications Manager Privilege Escalation Vulnerability

Calculate the environmental score of CSCui02242

CVSS Base Score - 6.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Local

Low

Single

Complete

Complete

Complete

CVSS Temporal Score - 6.1

Exploitability

Remediation Level

Report Confidence

Proof-of-Concept

Unavailable

Confirmed



CSCui02276 - Cisco Unified Communications Manager Privilege Escalation Vulnerability

Calculate the environmental score of CSCui02276

CVSS Base Score - 6.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Local

Low

Single

Complete

Complete

Complete

CVSS Temporal Score - 6.1

Exploitability

Remediation Level

Report Confidence

Proof-of-Concept

Unavailable

Confirmed




Note: The hard-coded static encryption key is considered a hardening issue rather than a vulnerability, and as such, has a CVSS score of 0/0.

Impact

Successful exploitation of the blind SQL injection vulnerabilities could allow a remote attacker to reconstruct encrypted credentials and insert rows in the Cisco Unified CM database. The initial blind SQL injection allows an unauthenticated, remote attacker to use the hard-coded encryption key to obtain and decrypt a local user account. This allows for a subsequent, authenticated blind SQL injection.

Successful exploitation of the command injection and privilege escalation vulnerabilities could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges.

Software Versions and Fixes

When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

There are no Cisco Unified CM versions currently available that contain software fixes for the vulnerabilities described in this advisory. This advisory will be updated as fixed software is made available. In the interim, Cisco has released a Cisco Options Package (COP) file that addresses the following vulnerabilities: CSCuh01051, CSCuh87042 and CSCuh73454.

Customers can download and install the COP file as a solution for the previous vulnerabilities while awaiting fixed software versions.

This package will install on the following system versions: The COP file, cmterm-CSCuh01051-2.cop.sgn, is located in the Utilities section of the software downloads page for each of the versions in the preceding list. For instance, the file for 9.1(x) versions would be located by navigating the following path on the software downloads page:

Products -> Voice and Unified Communications -> IP Telephony -> Unified Communications Platform -> Cisco Unified Communications Manager -> Cisco Unified Communications Manager Version 9.1 -> Unified Communications Manager / CallManager / Cisco Unity Connection Utilities-COP-Files

The COP file mitigates the initial attack vector (CSCuh01051) and reduces the documented attack surface. Application of the COP file is highly recommended for all affected Cisco Unified CM product versions.

Workarounds

There are no workarounds for the vulnerabilities described in this document.

Additional workaround details are available in the companion Applied Mitigation Bulletin (AMB) at the following location: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=29846

Obtaining Fixed Software

Cisco has released a COP file that addresses the three of the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Navigator on Cisco.com at http://www.cisco.com/cisco/software/navigator.html.

Customers using Third Party Support Organizations

Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action.

The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.

Customers without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC.

Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages.

Exploitation and Public Announcements

The blind SQL injection vulnerability (CSCuh01051) was initially reported to Cisco by Emerging Defense, LLC.

These vulnerabilities were demonstrated during the SSTIC 2013 IT security conference in Rennes, France on June 6, 2013, by a French security firm, Lexfo. The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerabilities that are described in this advisory.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco Security Intelligence Operations at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130717-cucm

Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates.

Revision History

Revision 1.1 2013-July-17 Corrected CVSS score to correct the remediation level for privilege escalation vulnerabilities CSCuh73454 and CSCuh87042 (CVE-2013-3403). Two minor wording corrections for clarity.
Revision 1.0 2013-July-17 Initial public release.

Cisco Security Procedures

Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.