[NEWS] Cisco CallManager Multiple Vulnerabilities (DoS, Memory Leak, Buffer Overflow)

• Previous message: SecuriTeam: "[NT] Race Driver Multiple Vulnerabilities (Broadcast Format String, Buffer-Overflow)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 20 Jul 2005 16:47:15 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Cisco CallManager Multiple Vulnerabilities (DoS, Memory Leak, Buffer
Overflow)
------------------------------------------------------------------------

SUMMARY

Cisco CallManager (CCM) is the software-based call-processing component of
the Cisco IP telephony solution which extends enterprise telephony
features and functions to packet telephony network devices such as IP
phones, media processing devices, voice-over-IP (VoIP) gateways, and
multimedia applications. Cisco CallManager 3.3 and earlier, 4.0, and 4.1
are vulnerable to Denial of Service (DoS) attacks, memory leaks, and
memory corruption which may result in services being interrupted, servers
rebooting, or arbitrary code being executed.

DETAILS

Vulnerable Systems:
 * Cisco CallManager 3.2 and prior
 * Cisco CallManager 3.3, versions prior to 3.3(5)
 * Cisco CallManager 4.0, versions prior to 4.0(2a)SR2b
 * Cisco CallManager 4.1, versions prior 4.1(3)SR1

CSCed37403 - Resource leak with RISDC -- CallManager does not time out
RISDC (Realtime Information Server Data Collection) sockets aggressively
enough, leading to a scenario where TaskManager indicates that RisDC.exe
is using large amounts of non-paged pool memory and ports remain in the
Close_Wait state.
Non-paged pool memory allocation can be checked by opening Microsoft
Windows Task Manager, going to the View menu, choosing Select Columns and
selecting Non-paged Pool. Open ports are listed in the output of the
netstat -an command.

CSCee00116 - Cisco CallManager CTI Manager may restart with greater than
1GB memory used -- Repeated attacks with crafted packets can cause the CTI
Manager to allocate greater than 1 gigabyte of virtual memory. Memory
allocation of the ctimgr.exe process can be checked by viewing the
Microsoft Windows Task Manager.

CSCee00118 - CallManager may restart with repeated attacks -- Crafted
packets can cause the CallManager to inappropriately allocate 500MB to the
ccm.exe process, which will return to the memory pool under normal
conditions. Repeated attacks may cause a CallManager under load to exhaust
memory resources and restart.
Memory allocation of the ccm.exe process can be checked by viewing the
Microsoft Windows Task Manager. Under attack, ccm.exe memory will jump
repeatedly by 500MB.

CSCef47060 - Failed logins create memory leak when MLA enabled -- When MLA
(Multi Level Admin) is enabled and there are repeated, failed logons for
the AST (Admin Service Tool) a memory leak may occur. While under normal
operations inetinfo.exe will use between 20Mb and 30Mb of memory, systems
facing this issue showed up to 750Mb of memory used. Memory allocation of
the inetinfo.exe process can be checked by viewing the Microsoft Windows
Task Manager. MLA is not on by default and the enable status can be
checked under CCM/User/Access Rights/MLA Parameters/Enable Multi Level
Admin.

CSCsa75554 - Vulnerability to DoS and remote execution in aupair service
-- Crafted packets directed at Cisco CallManager may cause a memory
allocation failure and buffer overflow resulting in potential execution of
arbitrary code, abnormal termination of the aupair process, or corruption
of memory. The aupair.exe process is a database layer between ccm.exe and
SQL which cannot be disabled for normal Cisco CallManager operation.

When viewing Microsoft Windows Task Manager, the process is aupair.exe,
but under the Service Control Manager it is called Cisco Database Layer
Monitor. If the aupair.exe process terminates, a message will be logged to
the events monitor and a DrWatson report will be generated.

Successful exploitation of the vulnerabilities may result in severe issues
with Cisco CallManager and related IP telephony services.
Triggering a memory allocation and buffer overflow may allow remote code
execution and breach of confidentiality. Excess memory allocation can
cause resource starvation resulting in high CPU utilization, unresponsive
terminal services, the inability to run CCM Admin, or map drives. This may
then lead to phones not responding, phones unregistering from the Cisco
CallManager, or Cisco CallManager restarting.

Vendor Status:
When considering software upgrades, please also consult
<http://www.cisco.com/en/US/products/products_security_advisories_listing.html> http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices
to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") for assistance.

Each row of the Cisco CallManager software table (below) describes a
release train which will address all of the vulnerabilities mentioned in
this advisory. If a given release train is vulnerable, then the earliest
possible releases that contain the fixes (the "First Fixed Release") and
the anticipated date of availability for each are listed in the
"Engineering Special," "Service Release," and "Maintenance Release"
columns. A device running a Cisco CallManager release in the given train
that is earlier than the release in a specific column (less than the First
Fixed Release listed in the Engineering Special or Special Release
columns) is known to be vulnerable to one or more issues. The Cisco
CallManager should be upgraded at least to the indicated release or a
later version (greater than or equal to the First Fixed Release label).

+------------------------------------------------------------------------+
| Train | Engineering | Service Release | Maintenance Release |
| | Special | | |
|-----------+----------------+--------------------+----------------------|
| 3.2 and | | | migrate to 3.3 or |
| earlier | | | later |
|-----------+----------------+--------------------+----------------------|
| 3.3 | 3.3(3)ES61 3.3 | | 3.3(5) |
| | (4)ES25 | | |
|-----------+----------------+--------------------+----------------------|
| 4.0 | 4.0(2a)ES40 | 4.0(2a)SR2b | no release planned, |
| | | | migrate to 4.1 |
|-----------+----------------+--------------------+----------------------|
| | 4.1(2)ES33 4.1 | | 4.1(4) -- release |
| 4.1 | (3)ES07 | 4.1(3)SR1 | date to be |
| | | | determined |
+------------------------------------------------------------------------+

ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20050712-ccm.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20050712-ccm.shtml

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Race Driver Multiple Vulnerabilities (Broadcast Format String, Buffer-Overflow)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]