In this Section

Security Advisory – Cisco CUCDM IP Phone Services

pdf_symbol

Sense of Security – Security Advisory – SOS-14-001

Release Date. 30-Nov-2014
Last Update.
Vendor Notification Date. 17-Jan-2014
Product. Cisco Unified Communications Domain Manager
Platform. Cisco Unified Communications Domain Manager
Affected versions. All versions up to 10.5
Severity Rating. High / Medium / Low
Impact. Privilege escalation
Security bypass
Spoofing
Exposure of sensitive information
Attack Vector. Remote without authentication
Solution Status. Vendor Patch
CVE reference. CVE-2014-3278
CVE-2014-3281
CVE-2014-3300

 

Details.

Multiple high risk security vulnerabilities were detected in the IP

phone services of the Cisco Unified Communications Domain Manager

(a.k.a. CUCDM or VOSS Solutions Domain Manager). The security

vulnerabilities can be used to obtain unauthorised access to

the CUCDM services, to bypass the authorisation scheme for the IP

phones and to compromise the hosted VoIP services and infrastructure.

Fatih Ozavci, a Senior Security Consultant with Sense of Security,

has demonstrated these vulnerabilities and additional design issues

at Black Hat USA 2014 and Def Con 22 security events using the

Viproy VoIP Penetration Testing Kit.

 

Details of the vulnerabilities and required security fixes or

workarounds can be found in the following references:

 

  1. Cisco Unified Communications Domain Manager BVSMWeb

Unauthorized Data Manipulation Vulnerability (High Risk)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3300

 

A vulnerability in the web framework of the Cisco Unified

Communications Domain Manager Application Software could allow

an unauthenticated, remote attacker to access and modify BVSMWeb

portal user information such as settings in the personal phone

directory, speed dials, Single Number Reach, and call forward

settings.

 

The vulnerability is due to improper implementation of

authentication and authorisation controls when accessing some

web pages of the BVSMWeb portal. An attacker could exploit this

vulnerability by submitting a crafted URL to the affected system.

 

  1. Cisco Unified Communications Domain Manager BVSMWeb

Information Disclosure Vulnerability (Medium Risk)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3281

 

A vulnerability in the web framework of the VOSS Operating System

running on Cisco Unified Communications Domain Manager (Cisco

Unified CDM) Application Software could allow an unauthenticated,

remote attacker to access limited user information.

 

The vulnerability is due to improper implementation of authentication

and authorisation controls when accessing some web pages of BVSMWeb

applications. An attacker could exploit this vulnerability by submitting

crafted URLs to the affected system.

 

  1. Cisco Unified Communications Domain Manager BVSMWeb User Enumeration

Vulnerability (Low Risk)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3278

 

A vulnerability in the web framework of the VOSS Operating System running

on Cisco Unified Communications Domain Manager (Cisco Unified CDM)

Application Software could allow an unauthenticated, remote attacker

to enumerate valid user accounts.

 

The vulnerability is due to improper implementation of authentication

and authorisation controls when accessing some web pages of the BVSMWeb

application. An attacker could exploit this vulnerability by submitting

crafted URLs to the affected system.

 

Exploits and Tools.

Viproy VoIP Penetration Testing and Exploitation Kit.

 

Solution.

All vendor security fixes must be installed. All Cisco CUCDM customers

must migrate from the BVSMWeb interface of the CUCDM to the Cisco

Unified Communication Manager IP telephony management services.

 

Discovered by.

Fatih Ozavci from Sense of Security Labs.