Cisco Unified Communications Manager contains an issue that could allow a local attacker to access sensitive information. Updates are not available.
Cisco Unified Communications Manager (Unified CM) contains a hard-coded encryption key used for the encryption of sensitive data stored within the database, and securing computer telephony integration (CTI) communications.
The issue is due to the use of a static symmetric encryption key in all Cisco Unified CM versions. An attacker could exploit this issue by using the secret key to decrypt sensitive data including user credentials. An exploit could allow the attacker to decrypt sensitive system information such as user credentials gained when using other attacks.
Proof-of-concept code that demonstrates an exploit of this issue is publicly available.
Cisco has confirmed the issue in a security advisory; however, software updates are not yet available.
The following products are affected:
Cisco Unified CM versions 9.1(2) and prior
Cisco Unified Presence Server/Cisco IM and Presence Service versions 9.1(2) and prior
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.