Cisco Security Advisory
Multiple Cisco Unified CallManager Vulnerabilities

AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C
-
Cisco Unified CallManager (CUCM) 5.0 has Command Line Interface (CLI) and Session Initiation Protocol (SIP) related vulnerabilities. There are potential privilege escalation vulnerabilities in the CLI which may allow an authenticated administrator to access the base operating system with root privileges. There is also a buffer overflow vulnerability in the processing of hostnames contained in a SIP request which may result in arbitrary code execution or cause a denial of service. These vulnerabilities only affect Cisco Unified CallManager 5.0.
Cisco has made free software available to address these vulnerabilities for affected customers. There are no workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20060712-cucm.
-
This section provides details on affected products.
Vulnerable Products
Only Cisco Unified CallManager versions 5.0(1), 5.0(2), 5.0(3) and 5.0(3a) are affected.
The version of CallManager software running can be determined navigating to Show > Software in the CUCM IPT Platform administration interface or by running the command show version active in the CLI.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities, including all previous versions of Cisco Unified CallManager.
-
Cisco Unified CallManager is the software-based call-processing component of the Cisco IP telephony solution which extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications.
The CallManager CLI provides a backup management interface to the system in order to diagnose and troubleshoot the primary HTTPS-based management interfaces. The CLI, which runs as the root user, contains two vulnerabilities in the parsing of commands. The first vulnerability may allow an authenticated CUCM administrator to execute arbitrary operating system programs as the root user. The second vulnerability may allow output redirection of a command to a file or a folder specified on the command line.
Cisco Unified CallManager supports the coexistence of both SCCP and SIP phones, allowing for migration to SIP while protecting investments in existing devices. CUCM contains a buffer overflow vulnerability in the processing of excessively long hostnames which may be included in a SIP request.
These issues are documented by the following Cisco bug IDs:
-
CSCse11005
(
registered customers only)
Certain CLI commands
allow execution of arbitrary Linux commands
-
CSCse31704
(
registered customers only)
User able to redirect
command output to a file folder
-
CSCsd96542
(
registered customers only)
SD-GA: CCM cores when
SIP request line host name has ASCII overflow
-
CSCse11005
(
registered customers only)
Certain CLI commands
allow execution of arbitrary Linux commands
-
There are no workarounds for these vulnerabilities.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.