[NEWS] Cisco Unified Communications Manager Denial of Service Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Cisco Unified Communications Manager Denial of Service Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Cisco Unified Communications Manager, formerly Cisco CallManager, contains
multiple denial of service (DoS) vulnerabilities that may cause an
interruption in voice services, if exploited. These vulnerabilities were
discovered internally by Cisco. The following Cisco Unified Communications
Manager services are affected:

* Certificate Trust List (CTL) Provider
* Certificate Authority Proxy Function (CAPF)
* Session Initiation Protocol (SIP)
* Simple Network Management Protocol (SNMP) Trap

Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of these vulnerabilities
are available.

DETAILS

Vulnerable Products:
These products are vulnerable:
* Cisco Unified CallManager 4.1 versions prior to 4.1.3SR7
* Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4
* Cisco Unified Communications Manager 4.3 versions prior to 4.3(2)
* Cisco Unified Communications Manager 5.x versions prior to 5.1(3
* Cisco Unified Communications Manager 6.x versions prior to 6.1(1)

Administrators of systems running Cisco Unified Communications Manager
version 4.x can determine the software version by navigating to Help >
About Cisco Unified CallManager and selecting the Details button via the
Cisco Unified Communications Manager Administration interface.

Administrators of systems that are running Cisco Unified Communications
Manager versions 5.x and 6.x can determine the software version by viewing
the main page of the Cisco Unified Communications Manager Administration
interface. The software version can also be determined by running the
command show version active via the command line interface (CLI).

Details:
Cisco Unified Communications Manager is the call processing component of
the Cisco IP Telephony solution that extends enterprise telephony features
and functions to packet telephony network devices, such as IP phones,
media processing devices, voice-over-IP (VoIP) gateways, and multimedia
applications.

Certificate Trust List Provider Related Vulnerabilities
The Certificate Trust List (CTL) Provider service of Cisco Unified
Communications Manager version 5.x contains a memory consumption
vulnerability that occurs when a series of malformed TCP packets are
received by a vulnerable Cisco Unified Communications Manager system and
may result in a DoS condition. The CTL Provider service listens by default
on TCP port 2444 and is user configurable. The CTL Provider service is
enabled by default. There is a workaround for this vulnerability. The
vulnerability is fixed in Cisco Unified Communications Manager version
5.1(3). The vulnerability is documented in Cisco Bug ID CSCsj80609 (
registered customers only) and has been assigned the CVE identifier
CVE-2008-1742.

The CTL Provider service of Cisco Unified Communications Manager versions
5.x and 6.x contain a memory consumption vulnerability that occurs when a
series of malformed TCP packets are received by a vulnerable Cisco Unified
Communications Manager system and may result in a DoS condition. The CTL
Provider service listens by default on TCP port 2444 and is user
configurable. There is a workaround for this vulnerability. The
vulnerability is fixed in Cisco Unified Communications Manager versions
5.1(3) and 6.1(1). This vulnerability is documented in Cisco Bug ID
CSCsi98433 ( registered customers only) and has been assigned the CVE
identifier CVE-2008-1743.

Certificate Authority Proxy Function Related Vulnerability
The Certificate Authority Proxy Function (CAPF) service of Cisco Unified
Communications Manager versions 4.1, 4.2 and 4.3 contain a vulnerability
when handling malformed input that may result in a DoS condition. The CAPF
service listens by default on TCP port 3804 and is user configurable. The
CAPF service is disabled by default. There is a workaround for this
vulnerability. This vulnerability is fixed in Cisco Unified Communications
Manager versions 4.1(3)SR7, 4.2(3)SR4 and 4.3(2). This vulnerability is
documented in Cisco Bug ID CSCsk46770 ( registered customers only) and has
been assigned the CVE identifier CVE-2008-1744.

SIP-Related Vulnerabilities
Cisco Unified Communications Manager versions 5.x and 6.x contain a
vulnerability in the handling of malformed SIP JOIN messages that may
result in a DoS condition. SIP processing cannot be disabled in Cisco
Unified Communications Manager. There is no workaround for this
vulnerability. This vulnerability is fixed in Cisco Unified Communications
Manager versions 5.1(2) and 6.1(1). This vulnerability is documented in
Cisco Bug ID CSCsi48115 ( registered customers only) and has been assigned
the CVE identifier CVE-2008-1745.

Cisco Unified Communications Manager versions 4.1, 4.2, 4.3, 5.x and 6.x
contain a vulnerability in the handling of SIP INVITE messages that may
result in a DoS condition. SIP processing cannot be disabled in Cisco
Unified Communications Manager. There is no workaround for this
vulnerability. The vulnerability is fixed in Cisco Unified Communications
Manager versions 4.1(3)SR6, 4.2(3)SR3, 4.3(2), 5.1(3) and 6.1(1). This
vulnerability is documented in Cisco Bug ID CSCsk46944 ( registered
customers only) and has been assigned the CVE identifier CVE-2008-1747.

Cisco Unified Communications Manager versions 4.1, 4.2, 4.3, 5.x and 6.x
contain a vulnerability in the handling of SIP INVITE messages that may
result in a DoS condition. SIP processing cannot be disabled in Cisco
Unified Communications Manager. There is no workaround for this
vulnerability. This vulnerability is fixed in Cisco Unified Communications
Manager versions 4.1(3)SR7, 4.2(3)SR4, 4.3(2), 5.1(3) and 6.1(1). This
vulnerability is documented in Cisco Bug ID CSCsl22355 ( registered
customers only) and has been assigned the CVE identifier CVE-2008-1748.
SNMP Trap-Related Vulnerability

The SNMP Trap Agent service of Cisco Unified Communications Manager
versions 4.1, 4.2, 4.3, 5.x and 6.x contain a vulnerability that occurs
when a series of malformed UDP packets are received by a vulnerable Cisco
Unified Communications Manager system and may result in a DoS condition.
The SNMP Trap Agent service listens by default on UDP port 61441. There is
a workaround for this vulnerability. This vulnerability is fixed in Cisco
Unified Communications Manager versions 4.1(3)SR6, 4.2(3)SR3, 4.3(2),
5.1(3) and 6.1(1). This vulnerability is documented in Cisco Bug ID
CSCsj24113 ( registered customers only) and has been assigned the CVE
identifier CVE-2008-1746.

Impact
Successful exploitation of the vulnerabilities in this advisory may result
in the interruption of voice services.

Workarounds
CTL Provider Related Vulnerabilities
To mitigate against the CTL Provider service vulnerabilities (CSCsj80609
and CSCsi98433), system administrators can disable the CTL Provider
service if it is not needed. Access to the CTL Provider Service is usually
only required during the initial configuration of Cisco Unified
Communications Manager authentication and encryption features. The CTL
Provider service is controlled via the Cisco CTL Provider menu selection.

It is possible to mitigate the CTL Provider vulnerabilities by
implementing filtering on screening devices. If the CTL Provider service
is enabled, permit access to TCP port 2444 only between the Cisco Unified
Communications Manager systems where the CTL Provider service is active
and the CTL Client, usually on the administrator's workstation, to
mitigate the CTL Provider service overflow.

Note: It is possible to change the default port of the CTL Provider
service (TCP port 2444). If changed, filtering should be based on the
values used. The values of the ports can be viewed in Cisco Unified
Communications Manager Administration interface by following the System >
Service Parameters menu and selecting the appropriate service.

CAPF Related Vulnerability
To mitigate against the CAPF service vulnerability (CSCsk46770), system
administrators can disable the CAPF service if it is not needed. Access to
the CAPF service is only required if Cisco Unified Communications Manager
systems and IP phone devices are configured to use certificates for a
secure deployment. If phones are not configured to use certificates, then
the CAPF service can be disabled. The CAPF service is controlled by the
Cisco Certificate Authority Proxy Function menu selection.

It is possible to mitigate the CAPF vulnerability by implementing
filtering on screening devices. If the CAPF service is enabled, permit
access to TCP port 3804 only from networks that contain IP phone devices
needing to utilize the CAPF service.
SIP-Related Vulnerabilities

It is possible to mitigate the SIP vulnerabilities by implementing
filtering on screening devices. Permit TCP/UDP access to ports 5060 and
5061 from only networks that need SIP access to Cisco Unified
Communications Manager servers.

SNMP Trap-Related Vulnerability
To mitigate against the SNMP Trap service vulnerability (CSCsj24113),
system administrators can disable the SNMP Trap service. For Cisco Unified
Communications Manager 4.x systems, the SNMP Trap service is controlled by
the embedded Windows SNMP sevice. To disable the Windows SNMP service,
navigate to Start > Programs > Administrative Tools > Services, and stop
the SNMP Service.

Note: The SNMP Trap Service listed in the Windows Service configuration
screen is not applicable to this vulnerability and disabling it does not
provide any benefit as a workaround for this vulnerability. For Cisco
Unified Communications Manager 5.x and 6.x systems, the SNMP Trap service
is controlled via the Cisco CallManager SNMP Service selection on the
Control Center Feature Services screen.

It is possible to mitigate the SNMP Trap service vulnerability by
implementing filtering on screening devices. Permit access to UDP port
61441 only from management systems that need access to the SNMP Trap
service.

For Cisco Unified Communications Manager 4.x systems, please consult the
following documentation for details on how to disable Cisco Unified
Communications Manager services:


<http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008070ec49.html> http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008070ec49.html

For Cisco Unified Communications Manager 5.x and 6.x systems, please
consult the following documentation for details on how to disable Cisco
Unified Communications Manager services:


<http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008037ced2.html#wp1048220> http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008037ced2.html#wp1048220

Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory:

<http://www.cisco.com/warp/public/707/cisco-amb-20080514-cucmdos.shtml>
http://www.cisco.com/warp/public/707/cisco-amb-20080514-cucmdos.shtml


ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@xxxxxxxxx> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages