[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
<\/span> usd AG discovered that Cisco Unified Communications Manager (CallManager) and connected SX20 TelePresence devices communicate in clear-text. This communication includes the synchronization of configuration data (e.g. user names and passwords) as well as video and audio telephony data. Attackers in a man-in-the-middle position can exploit this to gain access to devices as well as eavesdrop on video conferencing calls. The attacker does not require network access to the CallManager itself to exploit this. A possible scenario could be an attacker who has (short-term) physical access to a conference room with an SX20 or similar device installed.<\/p>\n Cisco Unified Communications Manager (CallManager) is a server component for video conferencing and video telephony infrastructures. A typical setup of Cisco Unified Communications infrastructures includes one or multiple CallManagers connected to a number of video conferencing devices, such as Cisco TelePresence SX20. The TelePresence devices, which can e.g. be located in conference rooms, connect to the CallManagers to retrieve configuration files and when a video call takes place. An attacker with physical access to a video-conferencing room can plant a device which acts as a transparent network bridge between the SX20 device and the network switch. Periodically the SX20 will contact the CallManager to download configuration data. This is done in plain-text from TCP port 6970.<\/p>\n This configuration data will contain the following XML tags: An attacker in a man-in-the-middle position can create network packet captures during video telephony calls. These captures can subsequently be used to extract audio and video data of the call, using videosnarf (https:\/\/www.jasonneurohr.com\/articles\/how-to-replay-h264-video-from-a-packet-capture).<\/p>\n Please note that an attacker who is able to log into the SX20 administration panel on TCP Port 443 can also use the \u201eExtended Logging\u201c functionality to create similar packet captures. This does not require a man-in-the-middle attack. Attack vectors for obtain administrative access are described in usd-2018-0035<\/a>, usd-2018-0036<\/a> and usd-2018-0037<\/a>.<\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n The communication between tele presence devices and the CallManager should use TLS transport encryption with certificate verification. This would ensure that no clear-text data can be intercepted.<\/span><\/p>\n This security vulnerability was discovered by Marcus Gruber and Maximilian Boehner of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2018-0038 | Cisco Unified Communications Manager (CallManager)\/11.5.1.15900-18 (likely in all versions) Advisory ID: usd-2018-0038CVE Number: N\/AAffected Product: Unified Communications ManagerAffected Version: 11.5.1.15900-18 (likely in all versions)Vulnerability Type: Exposure of Sensitive Configuration DataSecurity Risk: HighVendor URL: https:\/\/www.cisco.comVendor Status: Unknown Description usd AG discovered that Cisco Unified Communications Manager (CallManager) and connected SX20 TelePresence devices communicate in […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16595","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16595","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16595"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16595\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Advisory ID<\/strong>: usd-2018-0038<\/span>
CVE Number<\/strong>: N\/A<\/span>
Affected Product<\/strong>: Unified Communications Manager<\/span>
Affected Version<\/strong>: 11.5.1.15900-18 (likely in all versions)<\/span>
Vulnerability Type<\/strong>: Exposure of Sensitive Configuration Data<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/www.cisco.com<\/a>
Vendor Status<\/strong>: Unknown<\/span><\/p>\n<\/h3>\n
Description<\/h3>\n
usd discovered multiple vulnerabilities in the way these devices interact and within the CallManager itself.<\/p>\n<\/h3>\n
First Proof of Concept: Obtaining configuration data<\/h3>\n
<AdminLoginDetails><adminUserId>admin<\/adminUserId><adminPassword>passw0rd!<\/adminPassword><\/AdminLoginDetails><\/p>\nSecond Proof of Concept: Eavesdropping on audio\/video calls<\/h3>\n
Fix<\/h3>\n
<\/h3>\n
Timeline<\/h3>\n
\n
<\/h3>\n
Credits<\/h3>\n