|
Cisco Unified Communications Manager and Presence Server Security Bypass
|
|
|
|
|
Secunia Advisory:
|
SA26039
|
|
|
Release Date:
|
2007-07-12
|
|
Last Update:
|
2007-07-19
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Security Bypass
|
|
Where:
|
From remote
|
|
Solution Status:
|
Partial Fix
|
|
| Software: | Cisco Unified CallManager 5.x
Cisco Unified Communications Manager 5.x
Cisco Unified Presence Server 1.x
|
| | CVE reference: | CVE-2007-3775 (Secunia mirror)
CVE-2007-3776 (Secunia mirror)
|
|
|
|
|
|
Description:
Two vulnerabilities have been reported in Cisco Unified Communications Manager (CUCM, formerly CallManager) and Cisco Unified Presence Server (CUPS), which can be exploited by malicious users to bypass certain security restrictions.
The vulnerabilities are caused due to unspecified errors and can be exploited by an unauthorized administrator to e.g. activate and terminate system services or to view SNMP configuration information in a CUCM/CUPS cluster environment.
The vulnerabilities affect the following versions:
* Cisco Unified CallManager 5.0 and Communications Manager 5.1 versions up to and including 5.1(2)
* Cisco Unified Presence Server versions 1.0 to 1.0(3)
Solution:
Apply updates.
CUCM 5.0/5.1:
Update to CUCM 5.1(2a) - http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-51?psrtdcat20e2
CUPS 1.0:
Upgrade to CUPS 6.0(1) - http://www.cisco.com/pcgi-bin/tablebuild.pl/cups-60?psrtdcat20e2
Version 1.0 is reportedly discontinued. The vendor recommends users to upgrade to version 6.
Provided and/or discovered by:
Reported by the vendor.
Changelog:
2007-07-19: Added CVE reference.
Original Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20070711-voip.shtml
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
18 Related Secunia Security Advisories, displaying 10
|
|
|
1. Cisco Unified Communications Manager Authentication Bypass and Denial of Service
|
|
2. Cisco Unified Presence Presence Engine Service Two Denial of Service Vulnerabilities
|
|
3. Cisco Unified Communications Manager Multiple Denial of Service
|
|
4. Cisco Unified Communications Disaster Recovery Framework Command Execution
|
|
5. Cisco Unified Communications Manager "key" SQL Injection
|
|
6. Cisco Security Agent Unspecified System Driver Buffer Overflow Vulnerability
|
|
7. Cisco Unified Communications Manager Two Vulnerabilities
|
|
8. Cisco CallManager Authentication Header Hijacking Security Issue
|
|
9. Cisco Unified Communications Manager SIP Packet Processing Vulnerability
|
|
10. Cisco Products Java Secure Socket Extension SSL/TLS Request Denial of Service
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
