[Full-Disclosure] Cisco Security Advisory: Voice Product Vulnerabilities on IBM Servers

From: Cisco Systems Product Security Incident Response Team (psirt_at_cisco.com)
Date: 01/21/04

  • Next message: Michael T. Harding: "Re: [Full-Disclosure] Anti-MS drivel"
    To: full-disclosure@lists.netsys.com
    Date: Wed, 21 Jan 2004 09:00:00 -0800

    Hash: SHA1

    Cisco Security Advisory: Voice Product Vulnerabilities on IBM Servers

    Revision 1.0 - FINAL

    For Public Release 2004 January 21 UTC 1700 (GMT)



    Affected Products
    Software Versions and Fixes
    Obtaining Fixed Software
    Exploitation and Public Announcements
    Status of This Notice: FINAL
    Revision History
    Cisco Security Procedures



    The default installation of Cisco voice products on the IBM platform
    will install the Director Agent in an unsecure state, leaving the
    Director services vulnerable to remote administration control and/or
    Denial of Service attacks. The vulnerabilities can be mitigated by
    configuration changes and Cisco is providing a repair script that will
    close the vulnerable ports and put the Director agent in secure state
    without requiring an upgrade.

    This advisory will be available at

    Affected Products

    Cisco voice products running on IBM servers installed with the default
    configurations are affected if they leave TCP or UDP port 14247 open. To
    verify this vulnerability, the administrator may open a command window
    on the server and type netstat -a. If port 14247 is listed, the server
    is vulnerable to remote administrative control and Denial of Service

    Affected Cisco voice products:

       * Cisco CallManager

       * Cisco IP Interactive Voice Response (IP IVR)

       * Cisco IP Call Center Express (IPCC Express)

       * Cisco Personal Assistant (PA)

       * Cisco Emergency Responder (CER)

       * Cisco Conference Connection (CCC)

       * Cisco Internet Service Node (ISN) running on an IBM with an
           affected OS version.

    Affected IBM-based server model numbers:

       * IBM X330 (8654 or 8674)

       * IBM X340

       * IBM X342

       * IBM X345

       * MCS-7815-1000

       * MCS-7815I-2.0

       * MCS-7835I-2.4

       * MCS-7835I-3.0

    Affected OS Versions:

       * All operating system (OS) versions running on an IBM server prior
           to OS 2000.2.6, which has not yet been released as of the date of
           this notice.


    The default installations of Cisco voice products on IBM servers will
    install IBM Director in unsecure state leaving TCP and UDP ports 14247
    open. Any Director Server/Console agent can connect over port 14247 to
    gain administrative level control without requiring authentication.
    Also, a network security scanner scanning port 14247 can trigger the IBM
    Director agent process twgipc.exe to use 100% of the CPU until the
    server is rebooted. These vulnerabilities are documented in the two
    Cisco bug IDs:

       * CSCed33037 - IBM Director agents default install allows remote

       * CSCed23357 - IBM servers with Director agent 2.2 or 3.11 are
           vulnerable to a DoS.


    A Cisco voice server with the IBM Director agent in unsecure state is
    susceptible to administrative level control and Denial of Service attacks.

    Administrative level control includes the following functionality:
    shutdown/power off/restart, remote command shell, file transfer,
    processes/services/device drivers stop and start, network configuration
    modification (including domain/workgroup membership), Windows 2000 user
    account creation, and SNMP configuration modification.

    In a Denial of Service attack, an attacker can render the Cisco voice
    server inoperative with CPU utilization spiking to 100%, and the IBM
    server must be powered off or rebooted in order to regain control of the

    Software Versions and Fixes

    The vulnerabilities are specific to Cisco voice products on IBM servers
    and all vulnerabilities listed in this advisory can be mitigated with
    the repair script without requiring an upgrade.

    The repair script is available at:


    Obtaining Fixed Software

    As the mitigation for the vulnerabilities is a repair script, a software
    upgrade is not required to address the vulnerabilities. However, if you
    have a service contract, and wish to upgrade to unaffected code, you may
    obtain upgraded software through your regular update channels once that
    software is available. For most customers, this means that upgrades
    should be obtained through the Software Center on Cisco's Worldwide Web
    site at http://www.cisco.com.

    If you need assistance with the implementation of the workarounds, or
    have questions on the workarounds, please contact the Cisco Technical
    Assistance Center (TAC).

       * +1 800 553 2447 (toll free from within North America)

       * +1 408 526 7209 (toll call from anywhere in the world)

       * e-mail: tac@cisco.com <mailto:tac@cisco.com>

    See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
    additional TAC contact information, including special localized
    telephone numbers and instructions and e-mail addresses for use in
    various languages.

    Please do not contact either "psirt@cisco.com" or
    "security-alert@cisco.com" for software upgrades.


    Cisco's repair script adds 3 levels of improved security to the Director

       1. The Director agent no longer listens on TCP or UDP ports 14247 for
          remote connections from a Director Server. This change prevents
          the Denial of Service attacks described in the Impact section.

       2. The repair script secures the Director agent such that even if
          port 14247 is reenabled, the Director agent still would not accept
          connections from any Director Server.

       3. The Director Agent executable files which are not necessary to the
          functioning of the program, yet provide high levels of access or
          control, are completely disabled by this repair script.

    Note: If you are using IBM Director Server and Console to monitor the
    Cisco voice products, this repair script will disable the connection to
    those IBM servers. The Director agents will still provide pop-up
    warnings and Event Viewer messages in version 3.11, and SNMP traps to
    network management software like CiscoWorks IP Telephony Monitor. To
    regain IBM Director Server monitoring capabilities, IBM Director agent
    4.11 will be released in OS Upgrade 2000.2.6 and support can be
    re-enabled for Director Server after the upgrade to OS version 2000.2.6.

    Exploitation and Public Announcements

    The Cisco PSIRT is not aware of any public announcements or malicious
    use of the vulnerability described in this advisory.

    Status of This Notice: FINAL

    This is a FINAL notice. Although Cisco cannot guarantee the accuracy of
    all statements in this notice, all of the facts have been checked to the
    best of our ability. Cisco does not anticipate issuing updated versions
    of this advisory unless there is some material change in the facts.
    Should there be a significant change in the facts, Cisco will update
    this advisory.


    This notice will be posted on Cisco's worldwide website at
    http://www.cisco.com/warp/public/707/cisco-sa-20040121-voice.shtml. In
    addition to worldwide web posting, a text version of this notice is
    clear-signed with the Cisco PSIRT PGP key and is posted to the following
    e-mail and Usenet news recipients:

       * cust-security-announce@cisco.com
       * first-teams@first.org (includes CERT/CC)
       * bugtraq@securityfocus.com
       * full-disclosure@lists.netsys.com
       * vulnwatch@vulnwatch.org
       * cisco@spot.colorado.edu
       * cisco-nsp@puck.nether.net
       * comp.dcom.sys.cisco
       * Various internal Cisco mailing lists

    Future updates of this advisory, if any, will be placed on Cisco's
    worldwide website, but may or may not be actively announced on mailing
    lists or newsgroups. Users concerned about this problem are encouraged
    to check the above URL for any updates.

    Revision History

    Revision 1.0 2004-January-21 Initial public release.

    Cisco Security Procedures

    Complete information on reporting security vulnerabilities in Cisco
    products, obtaining assistance with security incidents, and registering
    to receive security information from Cisco, is available on Cisco's
    worldwide website at
    http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
    includes instructions for press inquiries regarding Cisco security
    notices. All Cisco security advisories are available at


    All contents are Copyright 1992-2004 Cisco Systems, Inc. All rights
    reserved. Important Notices <http://www.cisco.com/public/copyright.html>
    and Privacy Statement <http://www.cisco.com/public/privacy.html>.

    Version: PGP 7.0.1

    -----END PGP SIGNATURE-----

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Michael T. Harding: "Re: [Full-Disclosure] Anti-MS drivel"