Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2009-2865 to a friend New vulnerability? New tool? Tell us	CVE-2009-2865 Cisco Unified Communications Manager Express Vulnerability     Credit: The information has been provided by Cisco Systems Product Security Incident Response Team. The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20090923-cme.shtml Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2009-2865 Details Check for CVE-2009-2865 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Cisco Unified Communications Manager Express Successful exploitation of this vulnerability may result in the execution of arbitrary code or a Denial of Service (DoS) condition on an affected device. Cisco IOS devices, including Cisco Unified Communications 500 Series, that are configured for Cisco Unified CME and the Extension Mobility feature are affected. Vulnerable Products A Cisco IOS device that is configured for Cisco Unified CME and Extension Mobility contains the following output when the show running-config command is issued: ephone [Ethernet phone tag] ... logout-profile [logout-profile tag] isco Unified CME is the call processing component of an enhanced IP telephony solution that is integrated into Cisco IOS. The Extension Mobility feature in Cisco Unified CME provides the benefit of phone mobility for end users. A user login service allows phone users to temporarily access a physical phone other than their own phone and utilize their personal settings, such as directory number, speed-dial lists, and services, that is assigned to their own desk phone. The phone user can make and receive calls on that phone using the same personal directory number as is on their own desk phone. More information on Extension Mobility feature is available at the following URL: http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmemobl.html A vulnerability in the login section of the Extension Mobility feature may allow an unauthenticated attacker to execute arbitrary code or cause a Denial of Service (DoS) condition. Such packets can only come from registered phone IP addresses in the form of HTTP requests. If the auto-registration feature is enabled, an attacker can register its IP address and subsequently send a crafted payload to exploit this vulnerability. The auto-registration feature is enabled by default. More information on auto-registration can be found at the following link: http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/command/reference/cme_a1ht.html#wp1031242. CVE Information: CVE-2009-2865  Comments on CVE-2009-2865:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®