The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Cisco Security Advisory: Cisco Unified Communications Manager IP Phone Personal Address Book Synchronizer Privilege Escalation Vulnerability


<< Previous INDEX Search src / Print Next >>
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com.>
To: [email protected]
Subject: Cisco Security Advisory: Cisco Unified Communications Manager IP Phone Personal Address Book Synchronizer Privilege Escalation Vulnerability
Date: Wednesday, 11 March 2009 10:40:00 -0500 
Message-id: <200903111040.cucmpab@psirt.cisco.com.>
Reply-To: [email protected]
Errors-To: [email protected]
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report: 
Content-Return: Prohibited
X-Virus-Scanned: antivirus-gw at tyumen.ru

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco Unified Communications Manager IP
Phone Personal Address Book Synchronizer Privilege Escalation
Vulnerability

Advisory ID: cisco-sa-20090311-cucmpab

Revision 1.0

For Public Release 2009 March 11 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco Unified Communications Manager, formerly CallManager, contains
a privilege escalation vulnerability in the IP Phone Personal Address
Book (PAB) Synchronizer feature that may allow an attacker to gain
complete administrative access to a vulnerable Cisco Unified
Communications Manager system. If Cisco Unified Communications
Manager is integrated with an external directory service, it may be
possible for an attacker to leverage the privilege escalation
vulnerability to gain access to additional systems configured to use
the directory service for authentication.

Cisco has released free software updates that address this
vulnerability. Workarounds that mitigate this vulnerability are
available.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20090311-cucmpab.shtml

Affected Products
=================

Vulnerable Products
+------------------

The following products are vulnerable:

  * Cisco Unified CallManager 4.1 versions
  * Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4b
  * Cisco Unified Communications Manager 4.3 versions prior to 4.3(2)SR1b
  * Cisco Unified Communications Manager 5.x versions prior to 5.1(3e)
  * Cisco Unified Communications Manager 6.x versions prior to 6.1(3)
  * Cisco Unified Communications Manager 7.0 versions prior to 7.0(2)


Administrators of systems that are running Cisco Unified
Communications Manager software version 4.x can determine the
software version by navigating to Help > About Cisco Unified
CallManager and selecting the Details button via the Cisco Unified
Communications Manager administration interface.

Administrators of systems that are running Cisco Unified
Communications Manager software versions 5.x, 6.x, and 7.x can
determine the software version by viewing the main page of the Cisco
Unified Communications Manager administration interface. The software
version can also be determined by running the command show version
active via the command line interface (CLI).

Products Confirmed Not Vulnerable
+--------------------------------

Cisco Unified Communications Manager Express is not affected by this
vulnerability. No other Cisco products are currently known to be
affected by this vulnerability.

Details
=======

The Cisco IP Phone Personal Address Book (PAB) Synchronizer feature
of Cisco Unified Communications Manager allows users to keep their
Cisco Unified Communications Manager address book synchronized with
their Microsoft Windows address book. The IP Phone PAB Synchronizer
feature contains a privilege escalation vulnerability that may allow
an attacker to obtain complete administrative access to a vulnerable
Cisco Unified Communications Manager system. After an IP Phone PAB
Synchronizer client successfully authenticates to a Cisco Unified
Communications Manager device over a HTTPS connection, the Cisco
Unified Communications Manager returns credentials for a user account
that is used to manage the Cisco Unified Communications Manager
directory service. If an attacker is able to intercept the
credentials, they can perform unauthorized modifications to the Cisco
Unified Communications Manager configuration and extend their
privileges. The IP Phone PAB Synchronizer client has been redesigned
to allow address book synchronization without requiring the directory
service credentials. This vulnerability does not allow an attacker to
gain access to the underlying platform operating system of any Cisco
Unified Communications Manager system.

Cisco Unified Communications Manager 4.x
+---------------------------------------

Cisco Unified Communications Manager software version 4.x by default
stores user information using an internal Lightweight Directory
Access Protocol (LDAP) server called DC Directory. After an IP Phone
PAB Synchronizer client successfully authenticates, the Cisco Unified
Communications Manager returns credentials for the DC Directory user
that will be used by the client to synchronize a user's address book.
Depending on how a Cisco Unified Communications Manager is
configured, an attacker may obtain different privilege levels using
the intercepted credentials.

By default, Cisco Unified Communications Manager software version 4.x
administrator accounts are created as part of an underlying Microsoft
Windows operating system. Cisco Unified Communications Manager is
commonly deployed using the Multi-Level Administration (MLA) feature
to ease the integration of Cisco Unified Communications Manager into
enterprise environments. If MLA is enabled, Cisco Unified
Communications Manager stores administrator accounts in the Cisco
Unified Communications Manager DC Directory service. If an attacker
obtains the DC Directory credentials and MLA is enabled, the attacker
can add an existing account to the Cisco Unified Communications
Manager super-user group. The attacker can then access the Cisco
Unified Communications Manager management interface with complete
administrative access. If MLA is not enabled, the attacker cannot
escalate their privileges; however, they can modify any user settings
in the directory.

The Cisco Unified Communications Manager 4.x IP Phone PAB
Synchronizer client uses an unencrypted LDAP connection to perform
address book synchronization. The DC Directory credentials are passed
in the clear over the network and are vulnerable to being sniffed by
an attacker. If using the DC Directory internal LDAP server, the IP
Phone PAB Synchronizer client communicates to Cisco Unified
Communications Manager on TCP ports 8404 and 8405.

Cisco Unified Communications Manager 5.x, 6.x, 7.x
+-------------------------------------------------

Cisco Unified Communications Manager software versions 5.x, 6.x, and
7.x store user information as a part of the internal Cisco Unified
Communications Manager configuration database. The IP Phone PAB
Synchronizer client uses the AXL application programming interface
(API) to perform address book synchronization. After a client
successfully authenticates, the Cisco Unified Communications Manager
returns credentials for a database user account named TabSyncSysUser
that will be used by the client to synchronize an user's address
book. The TabSyncSysUser account has full read and write privileges
to the Cisco Unified Communications Manager configuration database.
Using the TabSyncSysUser credentials via the AXL API, an attacker can
modify any parameter in the database including creating new
administrator accounts.

Directory Service Integration
+----------------------------

Cisco Unified Communications Manager software versions 4.x, 5.x, 6.x,
and 7.x can be integrated with Microsoft Active Directory and several
non-Microsoft LDAP servers to perform user authentication. In order
to function properly, the integration process requires that
appropriate user credentials for the directory service are provided
to Cisco Unified Communications Manager. If an attacker intercepts or
sniffs the directory service credentials returned by a Cisco Unified
Communications Manager responding to an IP Phone PAB Synchronizer
client, the attacker may be able to leverage the credentials to gain
access to additional systems configured to use the directory service
for authentication.

Administrators should ensure that any directory service credentials
used for the Cisco Unified Communications Manager integration process
are configured to follow the principle of least privilege. The
credentials should be configured with only the privileges necessary
to access the directory service data needed for the integration
process to function properly. The use of overly privileged
administrator accounts is discouraged. Please see the Workarounds
section for more information on performing the integration of Cisco
Unified Communications Manager with AD using the least privilege
concept.

This vulnerability is documented in Cisco Bug IDs CSCso76587 and
CSCso78528 and has been assigned Common Vulnerabilities and Exposures
(CVE) identifier CVE-2009-0632.

Vulnerability Scoring Details

Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCso76587 - Directory Manager password sent in clear from client CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCso78528 - TabSyncSysUser (axl user) password sent in clear from client CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may allow an attacker to intercept user credentials that allow the attacker to escalate their privilege level and obtain complete administrative access to a vulnerable Cisco Unified Communications Manager system. If integrated with an external directory service, the intercepted user credentials may allow an attacker to gain access to additional systems configured to use the directory service for authentication. Software Versions and Fixes
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Unified Communications Manager software version 4.2(3)SR4b contains the fix for this vulnerability. Administrators of Cisco Unified CallManager software version 4.1 systems are encouraged to upgrade to Cisco Unified Communications Manager software version 4.2 (3)SR4b in order to obtain fixed software. Version 4.2(3)SR4b can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280264388&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20CallManager%20Version%204.2&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N Cisco Unified Communications Manager software version 4.3(2)SR1b contains the fix for this vulnerability. Version 4.3(2)SR1b can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280771554&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%204.3&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N Cisco Unified Communications Manager software version 5.1(3e) contains the fix for this vulnerability. Version 5.1(3e) can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=null&isPlatform=Y&mdfid=280735907&sftType=Unified%20Communications%20Manager%20Updates&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20Communications%20Manager%20Version%205.1&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N Cisco Unified Communications Manager software version 6.1(3) contains the fix for this vulnerability. Version 6.1(3) can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=281023410&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%206.1&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N Cisco Unified Communications Manager software version 7.0(2) contains the fix for this vulnerability. Version 7.0(2) can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=&isPlatform=Y&mdfid=281941895&sftType=Unified+Communications+Manager+Updates&treeName=Voice+and+Unified+Communications&modelName=Cisco+Unified+Communications+Manager+Version+7.0&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=&hybrid=Y&imst=N Workarounds =========== It is possible to mitigate against this vulnerability using the following workarounds. Cisco Unified Communications Manager 4.x +--------------------------------------- It is possible to mitigate this vulnerability by moving the ASP script that IP Phone Personal Address Book (PAB) Scynchronizer clients interact with to a directory location that is not accessible to the Cisco Unified Communications Manager web server. The system drive where the ASP script resides depends on how Cisco Unified Communications Manager was installed. Employing this workaround will prevent address book synchronization; however, the PAB application will continue to function. The ASP script can be moved using the following command: C:\> move c:\CiscoWebs\User\LDAPDetails.asp c:\temp It is also possible to mitigate this vulnerability by implementing filtering on screening devices or using the Windows firewall. Administrators are advised to permit access to TCP ports 8404 and 8405 only from trusted networks. Cisco Unified Communications Manager 5.x, 6.x, 7.x +------------------------------------------------- It is possible to mitigate this vulnerability by restricting the permissions of the TabSyncSysUser database user account. In the Cisco Unified Communications Manager Administration interface, navigate to User Management > Application User and search for the TabSyncSysUser account. Remove all groups from the account and change the password. Employing this workaround will prevent address book synchronization; however, the PAB application will continue to function. Active Directory Integration +--------------------------- To improve the security of Cisco Unified Communications Manager integration with Active Directory (AD), Cisco has produced a whitepaper that provides a detailed explanation of how to perform Cisco Unified Communications Manager integration with AD using the least-privileged principle. The whitepaper can be downloaded here: http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080a83435.shtml Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090311-cucmpab.shtml Obtaining Fixed Software
Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center sw-usingswc.shtml. Do not contact [email protected] or [email protected] for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: [email protected] Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. The vulnerability in Cisco Unified Communications Manager 4.x software versions was reported to Cisco by Olivier Grosjeanne of Dimension Data France. The vulnerability in Cisco Unified Communications Manager 5.x, 6.x and 7.x software versions was reported by Oliver Dewdney of LBI. Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090311-cucmpab.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * [email protected] * [email protected] * [email protected] * [email protected] * [email protected] * [email protected] * [email protected] * [email protected] Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-March-11 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iD8DBQFJt9DF86n/Gc8U/uARAtjqAJ9eE9ETbc4lyUJV8GrCEmiaJeS1NACdExbB dLmiSiaPCdGHpVKTKvZj78k= =C3h7 -----END PGP SIGNATURE-----

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру