Summary

• Cisco Unified Communications Manager (Unified CM) contains multiple vulnerabilities that could be used together to allow an unauthenticated, remote attacker to gather user credentials, escalate privileges, and execute commands to gain full control of the vulnerable system. A successful attack could allow an unauthenticated attacker to access, create or modify information in Cisco Unified CM.
  
  On June 6, 2013, a French security firm, Lexfo, delivered a public presentation on VoIP security that included a demonstration of multiple vulnerabilities used to compromise Cisco Unified CM. During the presentation, the researchers demonstrated a multistaged attack that chained a number of vulnerabilities, which resulted in a complete compromise of the Cisco Unified CM server. The attack chain used the following types of vulnerabilities:

  • Blind Structured Query Language (SQL) injection
  • Command injection
  • Privilege escalation

  Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports.
  
  Cisco has released a Cisco Options Package (COP) file that addresses three of the vulnerabilities documented in this advisory. Cisco is currently investigating the remaining vulnerabilities. Workarounds that mitigate these vulnerabilities are not available.
  
  This advisory is available at the following link:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130717-cucm

Affected Products

• Vulnerable Products

  The following products are affected by the vulnerabilities that are described in this advisory:

  • Cisco Unified Communications Manager 7.1(x)
  • Cisco Unified Communications Manager 8.5(x)
  • Cisco Unified Communications Manager 8.6(x)
  • Cisco Unified Communications Manager 9.0(x)
  • Cisco Unified Communications Manager 9.1(x)

  Note: Cisco Unified CM version 8.0 reached the End of Software Maintenance on October 23, 2012. Customers using Cisco Unified CM 8.0(x) versions should contact their Cisco support team for assistance in upgrading to a supported version of Cisco Unified CM.
  
  Cisco Unified CM is the only product confirmed to be vulnerable to the documented attack. Additional voice products may be affected by one or more of the individual vulnerabilities that are described in this advisory. The following products are being investigated but have not yet been confirmed as vulnerable:

  • Cisco Emergency Responder
  • Cisco Unified Contact Center Express
  • Cisco Unified Customer Voice Portal
  • Cisco Unified Presence Server/Cisco IM and Presence Service
  • Cisco Unity Connection

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• Cisco Unified CM is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications.
  
  Blind Structured Query Language Injection Vulnerabilities
  
  Cisco Unified CM and associated products may contain one or more of the following blind SQL injection vulnerabilities. The vulnerabilities may be exploited from an authenticated or unauthenticated context depending on the particular vulnerability.
  
  SQL injection vulnerabilities are due to a failure to perform proper validation of user-supplied requests prior to being used to form an SQL query. An attacker could exploit this behavior by injecting SQL commands. An exploit could allow the attacker to disclose or modify arbitrary information in the database.
  
  The first of the identified vulnerabilities could be exploited by an unauthenticated, remote attacker. An exploit could allow the attacker to use metadata to recreate encrypted information in the database. This metadata could be used to reconstruct encrypted credentials.
  
  This vulnerability is documented in Cisco bug ID CSCuh01051 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2013-3404. This vulnerability applies to Cisco Unified CM versions 9.1(1a) and prior.
  
  The second vulnerability could be exploited by an authenticated, remote attacker. An exploit could allow the attacker to modify or insert additional data into certain tables in the database.
  
  This vulnerability is documented in Cisco bug ID CSCuh81766 (registered customers only) and has been assigned CVE ID CVE-2013-3412. This vulnerability applies to Cisco Unified CM versions 9.1(2) and prior.
  
  These vulnerabilities can be exploited over the default management ports, TCP ports 8080 or 8443.
  
  Hard-Coded Encryption Key
  
  Cisco Unified Communications Manager (Unified CM) contains a hard-coded encryption key used for the encryption of sensitive data stored within the database, and securing computer telephony integration (CTI) communications.
  
  The issue is due to the use of a static symmetric encryption key in all Cisco Unified CM versions. An attacker could exploit this issue by using the secret key to decrypt sensitive data including user credentials. An exploit could allow the attacker to decrypt sensitive system information such as user credentials gained when using other attacks. This issue is documented in Cisco bug ID CSCsc69187 (registered customers only). This issue applies to Cisco Unified CM versions 9.1(2) and prior.
  
  Cisco Unified Presence Server/IM & Presence Service versions 9.1(2) and prior are also affected by this issue. This issue is documented in Cisco bug ID CSCui01756 (registered customers only).
  
  Command Injection Vulnerability
  
  A vulnerability in Cisco Unified Communications Manager (Unified CM) could allow an authenticated, remote attacker to execute commands on the underlying operating system with the privileges of the database user.
  
  The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by submitting malicious input to the affected function.
  
  This vulnerability is documented in Cisco bug ID CSCuh73440 (registered customers only) and has been assigned CVE ID CVE-2013-3402. This vulnerability applies to Cisco Unified CM versions 9.1(2) and prior.
  
  Privilege Escalation Vulnerability
  
  Vulnerabilities in Cisco Unified Communications Manager could allow an authenticated, local attacker to escalate privileges on the system.
  
  The vulnerabilities are due to improper file permissions, environment variables and relative paths in a privileged system script or binary. An attacker could exploit these vulnerabilities by modifying certain system scripts. This could allow the attacker to gain complete control of the affected system.
  
  This first two privilege escalation vulnerabilities are documented in Cisco bug ID CSCuh73454 (registered customers only) and CSCuh87042 (registered customers only) and have been assigned CVE ID CVE-2013-3403.
  
  A third privilege escalation vulnerability is documented in Cisco bug ID CSCui02242 (registered customers only) and has been assigned CVE ID CVE-2013-3434.
  
  A fourth privilege escalation vulnerability is documented in Cisco bug ID CSCui02276 (registered customers only) and has been assigned CVE ID CVE-2013-3433.
  
  These vulnerabilities apply to Cisco Unified CM versions 9.1(1a) and prior.

Workarounds

• There are no workarounds for the vulnerabilities described in this document.
  
  Additional workaround details are available in the companion Applied Mitigation Bulletin (AMB) at the following location: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=29846

Fixed Software

• When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  There are no Cisco Unified CM versions currently available that contain software fixes for the vulnerabilities described in this advisory. This advisory will be updated as fixed software is made available. In the interim, Cisco has released a Cisco Options Package (COP) file that addresses the following vulnerabilities: CSCuh01051, CSCuh87042 and CSCuh73454.
  
  Customers can download and install the COP file as a solution for the previous vulnerabilities while awaiting fixed software versions.
  
  This package will install on the following system versions:

  • 7.1.3
  • 7.1.5
  • 8.5.1
  • 8.6.2
  • 9.1.1

  The COP file, cmterm-CSCuh01051-2.cop.sgn, is located in the Utilities section of the software downloads page for each of the versions in the preceding list. For instance, the file for 9.1(x) versions would be located by navigating the following path on the software downloads page:
  
  Products -> Voice and Unified Communications -> IP Telephony -> Unified Communications Platform -> Cisco Unified Communications Manager -> Cisco Unified Communications Manager Version 9.1 -> Unified Communications Manager / CallManager / Cisco Unity Connection Utilities-COP-Files
  
  The COP file mitigates the initial attack vector (CSCuh01051) and reduces the documented attack surface. Application of the COP file is highly recommended for all affected Cisco Unified CM product versions.

Exploitation and Public Announcements

• The blind SQL injection vulnerability (CSCuh01051) was initially reported to Cisco by Emerging Defense, LLC.
  
  These vulnerabilities were demonstrated during the SSTIC 2013 IT security conference in Rennes, France on June 6, 2013, by a French security firm, Lexfo. The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerabilities that are described in this advisory.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130717-cucm

Revision History

• Revision 1.1	2013-July-17	Corrected CVSS score to correct the remediation level for privilege escalation vulnerabilities CSCuh73454 and CSCuh87042 (CVE-2013-3403). Two minor wording corrections for clarity.
  Revision 1.0	2013-July-17	Initial public release.

  Show Less