Summary

• Cisco Unified CallManager (CUCM) 5.0 has Command Line Interface (CLI) and Session Initiation Protocol (SIP) related vulnerabilities. There are potential privilege escalation vulnerabilities in the CLI which may allow an authenticated administrator to access the base operating system with root privileges. There is also a buffer overflow vulnerability in the processing of hostnames contained in a SIP request which may result in arbitrary code execution or cause a denial of service. These vulnerabilities only affect Cisco Unified CallManager 5.0.

  Cisco has made free software available to address these vulnerabilities for affected customers. There are no workarounds available to mitigate the effects of these vulnerabilities.

  This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20060712-cucm.

Affected Products

• This section provides details on affected products.

  Vulnerable Products

  Only Cisco Unified CallManager versions 5.0(1), 5.0(2), 5.0(3) and 5.0(3a) are affected.

  The version of CallManager software running can be determined navigating to Show > Software in the CUCM IPT Platform administration interface or by running the command show version active in the CLI.

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by these vulnerabilities, including all previous versions of Cisco Unified CallManager.

Details

• Cisco Unified CallManager is the software-based call-processing component of the Cisco IP telephony solution which extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications.

  The CallManager CLI provides a backup management interface to the system in order to diagnose and troubleshoot the primary HTTPS-based management interfaces. The CLI, which runs as the root user, contains two vulnerabilities in the parsing of commands. The first vulnerability may allow an authenticated CUCM administrator to execute arbitrary operating system programs as the root user. The second vulnerability may allow output redirection of a command to a file or a folder specified on the command line.

  Cisco Unified CallManager supports the coexistence of both SCCP and SIP phones, allowing for migration to SIP while protecting investments in existing devices. CUCM contains a buffer overflow vulnerability in the processing of excessively long hostnames which may be included in a SIP request.

  These issues are documented by the following Cisco bug IDs:

  • CSCse11005 ( registered customers only) Certain CLI commands allow execution of arbitrary Linux commands
    
  • CSCse31704 ( registered customers only) User able to redirect command output to a file folder
    
  • CSCsd96542 ( registered customers only) SD-GA: CCM cores when SIP request line host name has ASCII overflow
    

Workarounds

• There are no workarounds for these vulnerabilities.

Fixed Software

• When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20060712-cucm

Revision History

• Revision 1.0

  2006-July-12 1600 UTC (GMT)

  Initial public release

  Show Less