{"id":16593,"date":"2021-07-08T10:40:53","date_gmt":"2021-07-08T08:40:53","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2018-0037\/"},"modified":"2021-07-19T14:10:19","modified_gmt":"2021-07-19T12:10:19","slug":"usd-2018-0037","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2018-0037\/","title":{"rendered":"usd-2018-0037"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2018-0037 | Cisco Unified Communications Manager (CallManager)\/11.5.1.15900-18 (likely in all versions)<\/span><\/h1>\n<p><span><\/span><br \/><strong>Advisory ID<\/strong><span>: usd-2018-0037<\/span><br \/><strong>CVE Number<\/strong><span>: N\/A<\/span><br \/><strong>Affected Product<\/strong><span>: Unified Communications Manager<\/span><br \/><strong>Affected Version<\/strong><span>: 11.5.1.15900-18 (likely in all versions)<\/span><br \/><strong>Vulnerability Type<\/strong><span>: Exposure of Sensitive Configuration Data<\/span><br \/><strong>Security Risk<\/strong><span>: High<\/span><br \/><strong>Vendor URL<\/strong><span>: <\/span><a href=\"https:\/\/www.cisco.com\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.cisco.com<\/a><br \/><strong>Vendor Status<\/strong><span>: Unknown<\/span><\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p>usd discovered that Cisco Unified Communications Manager (CallManager) transmits passwords to TelePresence devices in plain-text. This means that these passwords are also stored somewhere in an insecure way, either in plain text or using some sort of reversible method.<\/p>\n<p>Cisco Unified Communications Manager (CallManager) is a server component for video conferencing and video telephony infrastructures. A typical setup of Cisco Unified Communications infrastructures includes one or multiple CallManagers connected to a number of video conferencing devices, such as Cisco TelePresence SX20. The TelePresence devices, which can e.g. be located in conference rooms, connect to the CallManagers to retrieve configuration files and when a video call takes place. usd discovered multiple vulnerabilities in the way these devices interact and within the CallManager itself.<\/p>\n<h3><\/h3>\n<h3>First Proof of Concept: Obtaining configuration data<\/h3>\n<p>A request to the following URL will retrieve the configuration file of a specific device, containing clear-text credentials. Replace SEPXXXXXXXXX with the device name:<br \/>http:\/\/10.10.10.10:6970\/SEPXXXXXXXXX.cnf.xml<\/p>\n<p>The resulting XML file contains clear-text credentials within the following tags:<\/p>\n<p>adminpassw0rd!<\/p>\n<p>Using these credentials the attacker can now authenticate to the target device via SSH or HTTPS. This allows the attacker to manipulate its configuration or create and download captures of network traffic. These captures can be used to eavesdrop on video and audio calls.<\/p>\n<h3>Second Proof of Concept: Eavesdropping on audio\/video calls<\/h3>\n<p>A request to the following URL will retrieve a configuration file, containing AD user credentials:<br \/>http:\/\/10.10.10.10:6970\/SPDefault.cnf.xml<\/p>\n<p>The resulting XML file contains clear-text credentials within the following tags:<\/p>\n<p>AD-Domain\\ucm_userucm_passw0rd!<\/p>\n<p>This data may provide attackers with access to a valid domain user.<\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<p><span>Utilize secure password hashing functions (e.g. Argon2 or PBKDF2) to store passwords.<\/span><br \/><span>For non-interactive authentication of client-devices, usd recommends using TLS client certificates instead of passwords.<\/span><\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2018-10-31 Advisory has been sent to psirt@cisco.com<\/li>\n<li>2018-11-07 Cisco states that there are mitigations available for the storage of credentials within xml files, available in the upcoming version 12.5 of CUCM software<\/li>\n<li>2018-11-09 extended public disclosure deadline to 2019-01-23<\/li>\n<li>2019-01-23 Security advisory released<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p><span>This security vulnerability was discovered by Marcus Gruber and Maximilian Boehner of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2018-0037 | Cisco Unified Communications Manager (CallManager)\/11.5.1.15900-18 (likely in all versions) Advisory ID: usd-2018-0037CVE Number: N\/AAffected Product: Unified Communications ManagerAffected Version: 11.5.1.15900-18 (likely in all versions)Vulnerability Type: Exposure of Sensitive Configuration DataSecurity Risk: HighVendor URL: https:\/\/www.cisco.comVendor Status: Unknown Description usd discovered that Cisco Unified Communications Manager (CallManager) transmits passwords to TelePresence devices in plain-text. This [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16593","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16593"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16593\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}