|
|
|
|
| |
Cisco CallManager and Unified Communications Manager are vulnerable to cross-site Scripting (XSS) and SQL Injection attacks in the lang variable of the admin and user logon pages. A successful attack may allow an attacker to run JavaScript on computer systems connecting to CallManager or Unified Communications Manager servers, and has the potential to disclose information within the database.
Cisco has made free software available to address these vulnerabilities for affected customers. |
| |
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml
|
| |
Affected Products
Vulnerable Products
Cisco CallManager and Unified Communications Manager versions prior to the following are affected by these vulnerabilities:
* 3.3(5)sr2b
* 4.1(3)sr5
* 4.2(3)sr2
* 4.3(1)sr1
The software version of a CallManager or Unified Communications Manager system can be determined by navigating to Show > Software via the administration interface.
For Unified Communications Manager version 5.0, the software version can also be determined by running the command show version active in the Command Line Interface (CLI).
For CallManager and Unified Communications Manager version 3.x and 4.x systems, the software version can be determined by navigating to Help > About Cisco Unified CallManager and selecting the Details button via the administration interface.
Note: Cisco Unified CallManager versions 4.3, 5.1 and 6.0 have been renamed to Cisco Unified Communications Manager. Software versions 3.3, 4.0, 4.1, 4.2 and 5.0 retain the Cisco Unified CallManager name.
Products Confirmed Not Vulnerable
No other Cisco products are known to be affected by this vulnerability.
No other versions of CallManager or Unified Communications Manager are vulnerable.
Details
Cisco Unified CallManager/Communications Manager (CUCM) is the call processing component of the Cisco IP telephony solution which extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications.
The cross-site scripting vulnerability and the SQL injection vulnerability are triggered when a specially crafted value is entered in the lang variable of either the admin or user logon pages. Attacks against these vulnerabilities are conducted through the web interface and use the http or https protocol. In the case of the cross-site scripting vulnerability, the malicious value includes scripting code enclosed by the <script> and </script> tags. In the case of the SQL injection vulnerability, the value terminates the SQL call and completes a call to the back-end database.
An attacker must be able to convince a user into following a specially crafted URL in order to successfully exploit the cross-site scripting vulnerability.
The cross-site scripting vulnerability is documented as bug ID CSCsi10728 ( registered customers only) .
The SQL injection vulnerability is documented as bug ID CSCsi64265 ( registered customers only) .
Impact
An attacker could exploit the cross-site scripting vulnerability to steal account credentials or run unauthorized JavaScript on the client system.
An attacker could exploit the SQL injection vulnerability to read a single value from the database. Several successful attacks could disclose information about the database, information such as user names and passwords, and information from call records such as the time calls are placed and the numbers dialed. This vulnerability cannot be used to alter or delete call record information from the database.
Workarounds
There are no workarounds for these vulnerabilities.
Cross-site scripting, also known as XSS, is a flaw within web applications that enables malicious users, vulnerable websites, or owners of malicious websites to send malicious code to the browsers of unsuspecting users. The malicious code is usually in the form of a script embedded in the URL of a link or the code may be stored on the vulnerable server or malicious website. The browser will execute the malicious script because the web content is assumed to be from a trusted site and the browser does not have a way to validate the URL or HTML content. A main source of XSS attacks is websites that do not properly validate user-submitted content for dynamically generated web pages.
Because of the nature of XSS vulnerabilities, network mitigation techniques are generally ineffective. To reduce the risk of users becoming victims of XSS attacks, users should be educated about the URL verification limitations of browsers. Countermeasures should also be implemented in the browser through scripting controls. Scripting controls do allow the ability to define policies to restrict code execution.
For additional information on XSS attacks and the methods used to exploit these vulnerabilities, please refer to the Cisco Applied Intelligence Response "Understanding Cross-Site Scripting (XSS) Threat Vectors", available at: http://www.cisco.com/warp/public/707/cisco-air-20060922-understanding-xss.shtml.
|
|
|
|
|
|
|
|
|
|
