Cisco Security Advisory
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C
-
Cisco Unified Communications Manager, formerly CallManager, contains a privilege escalation vulnerability in the IP Phone Personal Address Book (PAB) Synchronizer feature that may allow an attacker to gain complete administrative access to a vulnerable Cisco Unified Communications Manager system. If Cisco Unified Communications Manager is integrated with an external directory service, it may be possible for an attacker to leverage the privilege escalation vulnerability to gain access to additional systems configured to use the directory service for authentication.
Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090311-cucmpab.
-
Vulnerable Products
The following products are vulnerable:
-
Cisco Unified CallManager 4.1 versions
-
Cisco Unified Communications Manager 4.2 versions prior to
4.2(3)SR4b
-
Cisco Unified Communications Manager 4.3 versions prior to
4.3(2)SR1b
-
Cisco Unified Communications Manager 5.x versions prior to
5.1(3e)
-
Cisco Unified Communications Manager 6.x versions prior to 6.1(3)
-
Cisco Unified Communications Manager 7.0 versions prior to
7.0(2)
Administrators of systems that are running Cisco Unified Communications Manager software version 4.x can determine the software version by navigating to Help > About Cisco Unified CallManager and selecting the Details button via the Cisco Unified Communications Manager administration interface.
Administrators of systems that are running Cisco Unified Communications Manager software versions 5.x, 6.x, and 7.x can determine the software version by viewing the main page of the Cisco Unified Communications Manager administration interface. The software version can also be determined by running the command show version active via the command line interface (CLI).
Products Confirmed Not Vulnerable
Cisco Unified Communications Manager Express is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability.
-
Cisco Unified CallManager 4.1 versions
-
The Cisco IP Phone Personal Address Book (PAB) Synchronizer feature of Cisco Unified Communications Manager allows users to keep their Cisco Unified Communications Manager address book synchronized with their Microsoft Windows address book. The IP Phone PAB Synchronizer feature contains a privilege escalation vulnerability that may allow an attacker to obtain complete administrative access to a vulnerable Cisco Unified Communications Manager system. After an IP Phone PAB Synchronizer client successfully authenticates to a Cisco Unified Communications Manager device over a HTTPS connection, the Cisco Unified Communications Manager returns credentials for a user account that is used to manage the Cisco Unified Communications Manager directory service. If an attacker is able to intercept the credentials, they can perform unauthorized modifications to the Cisco Unified Communications Manager configuration and extend their privileges. The IP Phone PAB Synchronizer client has been redesigned to allow address book synchronization without requiring the directory service credentials. This vulnerability does not allow an attacker to gain access to the underlying platform operating system of any Cisco Unified Communications Manager system.
Cisco Unified Communications Manager 4.x
Cisco Unified Communications Manager software version 4.x by default stores user information using an internal Lightweight Directory Access Protocol (LDAP) server called DC Directory. After an IP Phone PAB Synchronizer client successfully authenticates, the Cisco Unified Communications Manager returns credentials for the DC Directory user that will be used by the client to synchronize a user's address book. Depending on how a Cisco Unified Communications Manager is configured, an attacker may obtain different privilege levels using the intercepted credentials.
By default, Cisco Unified Communications Manager software version 4.x administrator accounts are created as part of an underlying Microsoft Windows operating system. Cisco Unified Communications Manager is commonly deployed using the Multi-Level Administration (MLA) feature to ease the integration of Cisco Unified Communications Manager into enterprise environments. If MLA is enabled, Cisco Unified Communications Manager stores administrator accounts in the Cisco Unified Communications Manager DC Directory service. If an attacker obtains the DC Directory credentials and MLA is enabled, the attacker can add an existing account to the Cisco Unified Communications Manager super-user group. The attacker can then access the Cisco Unified Communications Manager management interface with complete administrative access. If MLA is not enabled, the attacker cannot escalate their privileges; however, they can modify any user settings in the directory.
The Cisco Unified Communications Manager 4.x IP Phone PAB Synchronizer client uses an unencrypted LDAP connection to perform address book synchronization. The DC Directory credentials are passed in the clear over the network and are vulnerable to being sniffed by an attacker. If using the DC Directory internal LDAP server, the IP Phone PAB Synchronizer client communicates to Cisco Unified Communications Manager on TCP ports 8404 and 8405.
Cisco Unified Communications Manager 5.x, 6.x, 7.x
Cisco Unified Communications Manager software versions 5.x, 6.x, and 7.x store user information as a part of the internal Cisco Unified Communications Manager configuration database. The IP Phone PAB Synchronizer client uses the AXL application programming interface (API) to perform address book synchronization. After a client successfully authenticates, the Cisco Unified Communications Manager returns credentials for a database user account named TabSyncSysUser that will be used by the client to synchronize an user's address book. The TabSyncSysUser account has full read and write privileges to the Cisco Unified Communications Manager configuration database. Using the TabSyncSysUser credentials via the AXL API, an attacker can modify any parameter in the database including creating new administrator accounts.
Directory Service Integration
Cisco Unified Communications Manager software versions 4.x, 5.x, 6.x, and 7.x can be integrated with Microsoft Active Directory and several non-Microsoft LDAP servers to perform user authentication. In order to function properly, the integration process requires that appropriate user credentials for the directory service are provided to Cisco Unified Communications Manager. If an attacker intercepts or sniffs the directory service credentials returned by a Cisco Unified Communications Manager responding to an IP Phone PAB Synchronizer client, the attacker may be able to leverage the credentials to gain access to additional systems configured to use the directory service for authentication.
Administrators should ensure that any directory service credentials used for the Cisco Unified Communications Manager integration process are configured to follow the principle of least privilege. The credentials should be configured with only the privileges necessary to access the directory service data needed for the integration process to function properly. The use of overly privileged administrator accounts is discouraged. Please see the Workarounds section for more information on performing the integration of Cisco Unified Communications Manager with AD using the least privilege concept.
This vulnerability is documented in Cisco Bug IDs CSCso76587 and CSCso78528 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0632.
-
It is possible to mitigate against this vulnerability using the following workarounds.
Cisco Unified Communications Manager 4.x
It is possible to mitigate this vulnerability by moving the ASP script that IP Phone Personal Address Book (PAB) Scynchronizer clients interact with to a directory location that is not accessible to the Cisco Unified Communications Manager web server. The system drive where the ASP script resides depends on how Cisco Unified Communications Manager was installed. Employing this workaround will prevent address book synchronization; however, the PAB application will continue to function. The ASP script can be moved using the following command:
C:\> move c:\CiscoWebs\User\LDAPDetails.asp c:\temp
It is also possible to mitigate this vulnerability by implementing filtering on screening devices or using the Windows firewall. Administrators are advised to permit access to TCP ports 8404 and 8405 only from trusted networks.
Cisco Unified Communications Manager 5.x, 6.x, 7.x
It is possible to mitigate this vulnerability by restricting the permissions of the TabSyncSysUser database user account. In the Cisco Unified Communications Manager Administration interface, navigate to User Management > Application User and search for the TabSyncSysUser account. Remove all groups from the account and change the password. Employing this workaround will prevent address book synchronization; however, the PAB application will continue to function.
Active Directory Integration
To improve the security of Cisco Unified Communications Manager integration with Active Directory (AD), Cisco has produced a whitepaper that provides a detailed explanation of how to perform Cisco Unified Communications Manager integration with AD using the least-privileged principle. The whitepaper can be downloaded here:
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080a83435.shtml
Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Cisco Unified Communications Manager software version 4.2(3)SR4b contains the fix for this vulnerability. Administrators of Cisco Unified CallManager software version 4.1 systems are encouraged to upgrade to Cisco Unified Communications Manager software version 4.2(3)SR4b in order to obtain fixed software. Version 4.2(3)SR4b can be downloaded at the following link:
Cisco Unified Communications Manager software version 4.3(2)SR1b contains the fix for this vulnerability. Version 4.3(2)SR1b can be downloaded at the following link:
Cisco Unified Communications Manager software version 5.1(3e) contains the fix for this vulnerability. Version 5.1(3e) can be downloaded at the following link:
Cisco Unified Communications Manager software version 6.1(3) contains the fix for this vulnerability. Version 6.1(3) can be downloaded at the following link:
Cisco Unified Communications Manager software version 7.0(2) contains the fix for this vulnerability. Version 7.0(2) can be downloaded at the following link:
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
The vulnerability in Cisco Unified Communications Manager 4.x software versions was reported to Cisco by Olivier Grosjeanne of Dimension Data France. The vulnerability in Cisco Unified Communications Manager 5.x, 6.x and 7.x software versions was reported by Oliver Dewdney of LBI.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show Less
Revision 1.0
2009-March-11
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.